pony | 936e77203169953a14b2b19d09edd822cb14a3cbd2cb520d3f41f4eba02937a0

Analysis

max time kernel
145s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
Size

2.2MB
MD5

04d7acef871d0088d732f8ad3cdcdff8
SHA1

9a7be69a5077d08661c33b7c747f335dd1451df9
SHA256

936e77203169953a14b2b19d09edd822cb14a3cbd2cb520d3f41f4eba02937a0
SHA512

1839f74fffa49b700b56862ff816f60c8564d910a183cd3f33384267b8d63ee9fc70e56b141286ae33ca96a4fad3eacb30b6abea5a4131b84bd974875389b115
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZh:0UzeyQMS4DqodCnoe+iitjWwwl

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1300	explorer.exe
3596	explorer.exe
1044	spoolsv.exe
2492	spoolsv.exe
2448	spoolsv.exe
3332	spoolsv.exe
1960	spoolsv.exe
1448	spoolsv.exe
4396	spoolsv.exe
4860	spoolsv.exe
624	spoolsv.exe
3616	spoolsv.exe
2364	spoolsv.exe
3372	spoolsv.exe
544	spoolsv.exe
216	spoolsv.exe
2968	spoolsv.exe
3928	spoolsv.exe
4768	spoolsv.exe
1948	spoolsv.exe
3292	spoolsv.exe
556	spoolsv.exe
3100	spoolsv.exe
1952	spoolsv.exe
1828	spoolsv.exe
4976	spoolsv.exe
3088	spoolsv.exe
2628	spoolsv.exe
1560	spoolsv.exe
4888	spoolsv.exe
3728	spoolsv.exe
1188	spoolsv.exe
4812	spoolsv.exe
2116	explorer.exe
928	spoolsv.exe
5112	spoolsv.exe
1336	spoolsv.exe
3604	spoolsv.exe
2056	spoolsv.exe
1748	explorer.exe
2040	spoolsv.exe
3460	spoolsv.exe
1288	spoolsv.exe
4808	spoolsv.exe
3836	spoolsv.exe
4968	explorer.exe
1268	spoolsv.exe
2516	spoolsv.exe
1732	spoolsv.exe
3708	spoolsv.exe
4304	spoolsv.exe
1972	explorer.exe
2216	spoolsv.exe
4448	spoolsv.exe
4316	spoolsv.exe
528	spoolsv.exe
2696	spoolsv.exe
1920	spoolsv.exe
4416	explorer.exe
3132	spoolsv.exe
1432	spoolsv.exe
1932	spoolsv.exe
4084	spoolsv.exe
2660	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 51 IoCs

Processes:

04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 4436 set thread context of 1128	4436	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
PID 1300 set thread context of 3596	1300	explorer.exe	explorer.exe
PID 1044 set thread context of 4812	1044	spoolsv.exe	spoolsv.exe
PID 2492 set thread context of 928	2492	spoolsv.exe	spoolsv.exe
PID 2448 set thread context of 5112	2448	spoolsv.exe	spoolsv.exe
PID 3332 set thread context of 3604	3332	spoolsv.exe	spoolsv.exe
PID 1960 set thread context of 2056	1960	spoolsv.exe	spoolsv.exe
PID 1448 set thread context of 2040	1448	spoolsv.exe	spoolsv.exe
PID 4396 set thread context of 3460	4396	spoolsv.exe	spoolsv.exe
PID 4860 set thread context of 1288	4860	spoolsv.exe	spoolsv.exe
PID 624 set thread context of 3836	624	spoolsv.exe	spoolsv.exe
PID 3616 set thread context of 1268	3616	spoolsv.exe	spoolsv.exe
PID 2364 set thread context of 2516	2364	spoolsv.exe	spoolsv.exe
PID 3372 set thread context of 1732	3372	spoolsv.exe	spoolsv.exe
PID 544 set thread context of 4304	544	spoolsv.exe	spoolsv.exe
PID 216 set thread context of 2216	216	spoolsv.exe	spoolsv.exe
PID 2968 set thread context of 4448	2968	spoolsv.exe	spoolsv.exe
PID 3928 set thread context of 4316	3928	spoolsv.exe	spoolsv.exe
PID 4768 set thread context of 2696	4768	spoolsv.exe	spoolsv.exe
PID 1948 set thread context of 1920	1948	spoolsv.exe	spoolsv.exe
PID 3292 set thread context of 3132	3292	spoolsv.exe	spoolsv.exe
PID 556 set thread context of 1432	556	spoolsv.exe	spoolsv.exe
PID 3100 set thread context of 4084	3100	spoolsv.exe	spoolsv.exe
PID 1952 set thread context of 2660	1952	spoolsv.exe	spoolsv.exe
PID 1828 set thread context of 1100	1828	spoolsv.exe	spoolsv.exe
PID 4976 set thread context of 2396	4976	spoolsv.exe	spoolsv.exe
PID 3088 set thread context of 2132	3088	spoolsv.exe	spoolsv.exe
PID 2628 set thread context of 3772	2628	spoolsv.exe	spoolsv.exe
PID 1560 set thread context of 2096	1560	spoolsv.exe	spoolsv.exe
PID 4888 set thread context of 3284	4888	spoolsv.exe	spoolsv.exe
PID 3728 set thread context of 1916	3728	spoolsv.exe	spoolsv.exe
PID 1188 set thread context of 2276	1188	spoolsv.exe	spoolsv.exe
PID 2116 set thread context of 4556	2116	explorer.exe	explorer.exe
PID 1336 set thread context of 2716	1336	spoolsv.exe	spoolsv.exe
PID 1748 set thread context of 1964	1748	explorer.exe	explorer.exe
PID 4808 set thread context of 4792	4808	spoolsv.exe	spoolsv.exe
PID 4968 set thread context of 3940	4968	explorer.exe	explorer.exe
PID 3708 set thread context of 2372	3708	spoolsv.exe	spoolsv.exe
PID 1972 set thread context of 1764	1972	explorer.exe	explorer.exe
PID 528 set thread context of 2288	528	spoolsv.exe	spoolsv.exe
PID 4416 set thread context of 3216	4416	explorer.exe	explorer.exe
PID 1932 set thread context of 2128	1932	spoolsv.exe	spoolsv.exe
PID 316 set thread context of 4300	316	explorer.exe	explorer.exe
PID 4492 set thread context of 1308	4492	spoolsv.exe	spoolsv.exe
PID 1344 set thread context of 4384	1344	explorer.exe	explorer.exe
PID 1276 set thread context of 1404	1276	spoolsv.exe	spoolsv.exe
PID 1376 set thread context of 4056	1376	spoolsv.exe	spoolsv.exe
PID 1124 set thread context of 5056	1124	explorer.exe	explorer.exe
PID 3896 set thread context of 1892	3896	spoolsv.exe	spoolsv.exe
PID 1084 set thread context of 548	1084	spoolsv.exe	spoolsv.exe
PID 1300 set thread context of 1672	1300	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exe04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exeexplorer.exe

pid	process
1128	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
1128	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3596 explorer.exe

pid	process
3596	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1128	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
1128	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
3596	explorer.exe
4812	spoolsv.exe
4812	spoolsv.exe
928	spoolsv.exe
928	spoolsv.exe
5112	spoolsv.exe
5112	spoolsv.exe
3604	spoolsv.exe
3604	spoolsv.exe
2056	spoolsv.exe
2056	spoolsv.exe
2040	spoolsv.exe
2040	spoolsv.exe
3460	spoolsv.exe
3460	spoolsv.exe
1288	spoolsv.exe
1288	spoolsv.exe
3836	spoolsv.exe
3836	spoolsv.exe
1268	spoolsv.exe
1268	spoolsv.exe
2516	spoolsv.exe
2516	spoolsv.exe
1732	spoolsv.exe
1732	spoolsv.exe
4304	spoolsv.exe
4304	spoolsv.exe
2216	spoolsv.exe
2216	spoolsv.exe
4448	spoolsv.exe
4448	spoolsv.exe
4316	spoolsv.exe
4316	spoolsv.exe
2696	spoolsv.exe
2696	spoolsv.exe
1920	spoolsv.exe
1920	spoolsv.exe
3132	spoolsv.exe
3132	spoolsv.exe
1432	spoolsv.exe
1432	spoolsv.exe
4084	spoolsv.exe
4084	spoolsv.exe
2660	spoolsv.exe
2660	spoolsv.exe
1100	spoolsv.exe
1100	spoolsv.exe
2396	spoolsv.exe
2396	spoolsv.exe
2132	spoolsv.exe
2132	spoolsv.exe
3772	spoolsv.exe
3772	spoolsv.exe
2096	spoolsv.exe
2096	spoolsv.exe
3284	spoolsv.exe
3284	spoolsv.exe
1916	spoolsv.exe
1916	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 4436 wrote to memory of 3952	4436	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe	splwow64.exe
PID 4436 wrote to memory of 3952	4436	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe	splwow64.exe
PID 4436 wrote to memory of 1128	4436	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
PID 4436 wrote to memory of 1128	4436	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
PID 4436 wrote to memory of 1128	4436	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
PID 4436 wrote to memory of 1128	4436	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
PID 4436 wrote to memory of 1128	4436	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
PID 1128 wrote to memory of 1300	1128	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe	explorer.exe
PID 1128 wrote to memory of 1300	1128	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe	explorer.exe
PID 1128 wrote to memory of 1300	1128	04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe	explorer.exe
PID 1300 wrote to memory of 3596	1300	explorer.exe	explorer.exe
PID 1300 wrote to memory of 3596	1300	explorer.exe	explorer.exe
PID 1300 wrote to memory of 3596	1300	explorer.exe	explorer.exe
PID 1300 wrote to memory of 3596	1300	explorer.exe	explorer.exe
PID 1300 wrote to memory of 3596	1300	explorer.exe	explorer.exe
PID 3596 wrote to memory of 1044	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 1044	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 1044	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 2492	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 2492	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 2492	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 2448	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 2448	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 2448	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 3332	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 3332	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 3332	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 1960	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 1960	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 1960	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 1448	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 1448	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 1448	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 4396	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 4396	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 4396	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 4860	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 4860	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 4860	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 624	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 624	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 624	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 3616	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 3616	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 3616	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 2364	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 2364	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 2364	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 3372	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 3372	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 3372	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 544	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 544	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 544	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 216	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 216	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 216	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 2968	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 2968	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 2968	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 3928	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 3928	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 3928	3596	explorer.exe	spoolsv.exe
PID 3596 wrote to memory of 4768	3596	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\04d7acef871d0088d732f8ad3cdcdff8_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1300

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1044

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4812

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2116

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2492

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2448

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3332

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1960

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2056

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1748

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1448

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4396

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4860

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:624

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3836

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4968

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3616

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2364

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3372

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:544

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4304

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1972

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:216

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2968

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3928

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4768

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1948

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1920

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4416

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3292

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:556

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3100

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1952

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1828

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1100

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
PID:316

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4976

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3088

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2628

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1560

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:2096

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1344

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4888

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3728

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1188

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2276

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
PID:1124

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1336

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2716

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4472

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4808

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4792

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:2776

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:1056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3708

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2372

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:528

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2288

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1932

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2128

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:4476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4492

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1308

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:3108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1276

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:1376

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4056

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:3148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:3896

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1084

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:548

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:1040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1300

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1672

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3124

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2700

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4596

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:1424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:608

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\System\explorer.exe
Filesize
2.2MB

MD5
e1a87528b5091b85561ad3bec5844a2b

SHA1
8e528ee87889462d3803b84c0ce8bb202c5b1f7b

SHA256
4fe6fecd941b548b9afef7a9b61284b833e4ad1326d8940e2306f2e471924f2e

SHA512
b8539d3d0f14cd5fe9dfc7ce232e22a5e8d2e1e338ee8547ede246572c5d39a52eb18d3d0dbb95333e66ddfe7055ee4f62a52b366208bf8b23898287a268b3ab

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.2MB

MD5
fe58af4b4052b0e9f481918899489343

SHA1
6b0a6b86c786f791cdcb0b529e6e030054fec3ba

SHA256
a276a79f6ad9194b3895288d7733fa972fcd1e535fc2e731af7b4b5a6689f05d

SHA512
ff924a67b4b3183a20c9316092070e9f44a8621add780ad10553ceb6abd2e7cfad3307caa7a97f10ada8d4df90b9ec1b5b3f040614b17bf660a641f5dcc08c37

Download Submit
memory/216-1663-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/544-1662-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/548-4933-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/556-1909-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/624-1353-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/928-1917-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/928-1920-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1044-1911-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1044-815-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1056-5218-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1100-2969-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1100-2798-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1128-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1128-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1128-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1268-2274-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1268-2277-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1288-2126-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1300-64-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1300-70-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1308-4552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1404-4620-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1432-2642-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-1180-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1672-5074-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1764-3972-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-3037-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-3028-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1920-2624-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1920-2780-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1924-5085-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1948-1845-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1952-1971-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1960-1179-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1964-3448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-2107-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2056-2091-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2056-2245-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-2986-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-3124-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-4489-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2128-4346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-2816-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-2450-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2276-3190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2276-3308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2288-4187-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2288-4095-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2364-1507-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2372-4019-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-3886-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-2808-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2448-1944-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2448-992-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2492-991-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2492-1921-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2516-2286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2660-2746-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2696-2533-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-3439-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-3556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2968-1664-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3100-1919-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3216-4273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3284-2994-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3292-1908-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3332-2005-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3332-993-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3372-1508-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3460-2117-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-814-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3604-2009-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3616-1354-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3836-2265-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3836-2423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3928-1843-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3940-3632-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4056-4782-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4056-4908-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4084-2736-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4300-4431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4304-2606-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4304-2442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4384-4560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4396-1181-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4436-32-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4436-28-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4436-26-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4436-0-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4448-2463-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-3270-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-3267-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4596-5208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4732-5095-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4768-1844-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4792-3622-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4812-2078-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4812-1910-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-1352-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5008-5225-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5056-4793-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5112-1972-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download