pony | 7cb6c955e58cb1ab45c5bea8b765310c8659549f07b7bb08649915fff7c8a21a

Analysis

max time kernel
146s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe
Size

2.2MB
MD5

24e7b637165474ecdad9da06a84bcb90
SHA1

1f37542fd688a87e0c89a42b44700b6c54ec3354
SHA256

7cb6c955e58cb1ab45c5bea8b765310c8659549f07b7bb08649915fff7c8a21a
SHA512

642438c279bf0c146160fad0748a08844f56de5be0b184b6ac3dc6a216c4fddd60299f338f3ac5c7b5d7caa70a1a8cd469404f56d6287078126280152d406599
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ1:0UzeyQMS4DqodCnoe+iitjWwwB

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
1860	explorer.exe
4140	explorer.exe
3492	spoolsv.exe
1056	spoolsv.exe
4276	spoolsv.exe
1612	spoolsv.exe
808	spoolsv.exe
1732	spoolsv.exe
3452	spoolsv.exe
672	spoolsv.exe
3928	spoolsv.exe
956	spoolsv.exe
2796	spoolsv.exe
4888	spoolsv.exe
4568	spoolsv.exe
3992	spoolsv.exe
1904	spoolsv.exe
3652	spoolsv.exe
4072	spoolsv.exe
4472	spoolsv.exe
4456	spoolsv.exe
1596	spoolsv.exe
1760	spoolsv.exe
4536	spoolsv.exe
2980	spoolsv.exe
440	spoolsv.exe
3900	spoolsv.exe
1500	spoolsv.exe
4448	spoolsv.exe
4792	spoolsv.exe
3340	spoolsv.exe
1240	spoolsv.exe
1488	spoolsv.exe
1632	explorer.exe
64	spoolsv.exe
1860	spoolsv.exe
2404	spoolsv.exe
2772	spoolsv.exe
3384	spoolsv.exe
5016	explorer.exe
3740	spoolsv.exe
1436	spoolsv.exe
1208	spoolsv.exe
4520	spoolsv.exe
4012	spoolsv.exe
4264	spoolsv.exe
2328	spoolsv.exe
1080	explorer.exe
4516	spoolsv.exe
3408	spoolsv.exe
560	spoolsv.exe
2196	spoolsv.exe
3892	spoolsv.exe
3076	spoolsv.exe
2784	spoolsv.exe
2332	explorer.exe
3252	spoolsv.exe
2144	spoolsv.exe
3032	spoolsv.exe
4056	spoolsv.exe
628	spoolsv.exe
2080	spoolsv.exe
4376	spoolsv.exe
1964	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 53 IoCs

description	pid	Process	procid_target
PID 3096 set thread context of 2944	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	95
PID 1860 set thread context of 4140	1860	explorer.exe	99
PID 3492 set thread context of 1488	3492	spoolsv.exe	136
PID 1056 set thread context of 64	1056	spoolsv.exe	138
PID 4276 set thread context of 1860	4276	spoolsv.exe	139
PID 1612 set thread context of 2772	1612	spoolsv.exe	141
PID 808 set thread context of 3384	808	spoolsv.exe	142
PID 1732 set thread context of 3740	1732	spoolsv.exe	144
PID 3452 set thread context of 1436	3452	spoolsv.exe	145
PID 672 set thread context of 1208	672	spoolsv.exe	146
PID 3928 set thread context of 4520	3928	spoolsv.exe	147
PID 956 set thread context of 4264	956	spoolsv.exe	149
PID 2796 set thread context of 2328	2796	spoolsv.exe	150
PID 4888 set thread context of 4516	4888	spoolsv.exe	152
PID 4568 set thread context of 3408	4568	spoolsv.exe	153
PID 3992 set thread context of 560	3992	spoolsv.exe	154
PID 1904 set thread context of 2196	1904	spoolsv.exe	155
PID 3652 set thread context of 3076	3652	spoolsv.exe	157
PID 4072 set thread context of 2784	4072	spoolsv.exe	158
PID 4472 set thread context of 3252	4472	spoolsv.exe	161
PID 4456 set thread context of 2144	4456	spoolsv.exe	162
PID 1596 set thread context of 4056	1596	spoolsv.exe	164
PID 1760 set thread context of 628	1760	spoolsv.exe	165
PID 4536 set thread context of 2080	4536	spoolsv.exe	166
PID 2980 set thread context of 4376	2980	spoolsv.exe	167
PID 440 set thread context of 1964	440	spoolsv.exe	168
PID 3900 set thread context of 2524	3900	spoolsv.exe	171
PID 1500 set thread context of 5108	1500	spoolsv.exe	172
PID 4448 set thread context of 968	4448	spoolsv.exe	173
PID 4792 set thread context of 5104	4792	spoolsv.exe	174
PID 3340 set thread context of 4356	3340	spoolsv.exe	176
PID 1240 set thread context of 4020	1240	spoolsv.exe	183
PID 1632 set thread context of 4800	1632	explorer.exe	185
PID 2404 set thread context of 1448	2404	spoolsv.exe	194
PID 5016 set thread context of 472	5016	explorer.exe	196
PID 4012 set thread context of 4820	4012	spoolsv.exe	203
PID 1080 set thread context of 1712	1080	explorer.exe	206
PID 3892 set thread context of 1868	3892	spoolsv.exe	209
PID 2332 set thread context of 4080	2332	explorer.exe	212
PID 3032 set thread context of 1676	3032	spoolsv.exe	215
PID 2072 set thread context of 5280	2072	spoolsv.exe	219
PID 3876 set thread context of 5288	3876	explorer.exe	220
PID 2976 set thread context of 5436	2976	spoolsv.exe	222
PID 3096 set thread context of 5480	3096	explorer.exe	223
PID 4084 set thread context of 5568	4084	spoolsv.exe	224
PID 1956 set thread context of 5628	1956	spoolsv.exe	225
PID 2620 set thread context of 5696	2620	spoolsv.exe	226
PID 1400 set thread context of 5776	1400	spoolsv.exe	227
PID 5104 set thread context of 5844	5104	explorer.exe	228
PID 2488 set thread context of 5912	2488	spoolsv.exe	229
PID 4400 set thread context of 5148	4400	spoolsv.exe	231
PID 4260 set thread context of 5520	4260	spoolsv.exe	232
PID 2580 set thread context of 3792	2580	spoolsv.exe	234

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2944	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe
2944	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4140	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2944	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe
2944	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
4140	explorer.exe
1488	spoolsv.exe
1488	spoolsv.exe
64	spoolsv.exe
64	spoolsv.exe
1860	spoolsv.exe
1860	spoolsv.exe
2772	spoolsv.exe
2772	spoolsv.exe
3384	spoolsv.exe
3384	spoolsv.exe
3740	spoolsv.exe
3740	spoolsv.exe
1436	spoolsv.exe
1436	spoolsv.exe
1208	spoolsv.exe
1208	spoolsv.exe
4520	spoolsv.exe
4520	spoolsv.exe
4264	spoolsv.exe
4264	spoolsv.exe
2328	spoolsv.exe
2328	spoolsv.exe
4516	spoolsv.exe
4516	spoolsv.exe
3408	spoolsv.exe
3408	spoolsv.exe
560	spoolsv.exe
560	spoolsv.exe
2196	spoolsv.exe
2196	spoolsv.exe
3076	spoolsv.exe
3076	spoolsv.exe
2784	spoolsv.exe
2784	spoolsv.exe
3252	spoolsv.exe
3252	spoolsv.exe
2144	spoolsv.exe
2144	spoolsv.exe
4056	spoolsv.exe
4056	spoolsv.exe
628	spoolsv.exe
628	spoolsv.exe
2080	spoolsv.exe
4376	spoolsv.exe
1964	spoolsv.exe
2080	spoolsv.exe
4376	spoolsv.exe
1964	spoolsv.exe
2524	spoolsv.exe
2524	spoolsv.exe
5108	spoolsv.exe
5108	spoolsv.exe
968	spoolsv.exe
968	spoolsv.exe
5104	spoolsv.exe
5104	spoolsv.exe
4356	spoolsv.exe
4356	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 2376	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	83
PID 3096 wrote to memory of 2376	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	83
PID 3096 wrote to memory of 2944	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	95
PID 3096 wrote to memory of 2944	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	95
PID 3096 wrote to memory of 2944	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	95
PID 3096 wrote to memory of 2944	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	95
PID 3096 wrote to memory of 2944	3096	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	95
PID 2944 wrote to memory of 1860	2944	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	96
PID 2944 wrote to memory of 1860	2944	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	96
PID 2944 wrote to memory of 1860	2944	24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe	96
PID 1860 wrote to memory of 4140	1860	explorer.exe	99
PID 1860 wrote to memory of 4140	1860	explorer.exe	99
PID 1860 wrote to memory of 4140	1860	explorer.exe	99
PID 1860 wrote to memory of 4140	1860	explorer.exe	99
PID 1860 wrote to memory of 4140	1860	explorer.exe	99
PID 4140 wrote to memory of 3492	4140	explorer.exe	100
PID 4140 wrote to memory of 3492	4140	explorer.exe	100
PID 4140 wrote to memory of 3492	4140	explorer.exe	100
PID 4140 wrote to memory of 1056	4140	explorer.exe	101
PID 4140 wrote to memory of 1056	4140	explorer.exe	101
PID 4140 wrote to memory of 1056	4140	explorer.exe	101
PID 4140 wrote to memory of 4276	4140	explorer.exe	102
PID 4140 wrote to memory of 4276	4140	explorer.exe	102
PID 4140 wrote to memory of 4276	4140	explorer.exe	102
PID 4140 wrote to memory of 1612	4140	explorer.exe	103
PID 4140 wrote to memory of 1612	4140	explorer.exe	103
PID 4140 wrote to memory of 1612	4140	explorer.exe	103
PID 4140 wrote to memory of 808	4140	explorer.exe	104
PID 4140 wrote to memory of 808	4140	explorer.exe	104
PID 4140 wrote to memory of 808	4140	explorer.exe	104
PID 4140 wrote to memory of 1732	4140	explorer.exe	105
PID 4140 wrote to memory of 1732	4140	explorer.exe	105
PID 4140 wrote to memory of 1732	4140	explorer.exe	105
PID 4140 wrote to memory of 3452	4140	explorer.exe	106
PID 4140 wrote to memory of 3452	4140	explorer.exe	106
PID 4140 wrote to memory of 3452	4140	explorer.exe	106
PID 4140 wrote to memory of 672	4140	explorer.exe	107
PID 4140 wrote to memory of 672	4140	explorer.exe	107
PID 4140 wrote to memory of 672	4140	explorer.exe	107
PID 4140 wrote to memory of 3928	4140	explorer.exe	108
PID 4140 wrote to memory of 3928	4140	explorer.exe	108
PID 4140 wrote to memory of 3928	4140	explorer.exe	108
PID 4140 wrote to memory of 956	4140	explorer.exe	109
PID 4140 wrote to memory of 956	4140	explorer.exe	109
PID 4140 wrote to memory of 956	4140	explorer.exe	109
PID 4140 wrote to memory of 2796	4140	explorer.exe	111
PID 4140 wrote to memory of 2796	4140	explorer.exe	111
PID 4140 wrote to memory of 2796	4140	explorer.exe	111
PID 4140 wrote to memory of 4888	4140	explorer.exe	112
PID 4140 wrote to memory of 4888	4140	explorer.exe	112
PID 4140 wrote to memory of 4888	4140	explorer.exe	112
PID 4140 wrote to memory of 4568	4140	explorer.exe	115
PID 4140 wrote to memory of 4568	4140	explorer.exe	115
PID 4140 wrote to memory of 4568	4140	explorer.exe	115
PID 4140 wrote to memory of 3992	4140	explorer.exe	116
PID 4140 wrote to memory of 3992	4140	explorer.exe	116
PID 4140 wrote to memory of 3992	4140	explorer.exe	116
PID 4140 wrote to memory of 1904	4140	explorer.exe	119
PID 4140 wrote to memory of 1904	4140	explorer.exe	119
PID 4140 wrote to memory of 1904	4140	explorer.exe	119
PID 4140 wrote to memory of 3652	4140	explorer.exe	121
PID 4140 wrote to memory of 3652	4140	explorer.exe	121
PID 4140 wrote to memory of 3652	4140	explorer.exe	121
PID 4140 wrote to memory of 4072	4140	explorer.exe	122

C:\Users\Admin\AppData\Local\Temp\24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\24e7b637165474ecdad9da06a84bcb90_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2944
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3492
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1632
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1056
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:64
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4276
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1612
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:808
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3384
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5016
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1732
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3452
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:672
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3928
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:956
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2796
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1080
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4888
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4568
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3992
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1904
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3652
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4072
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2332
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4472
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4456
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1596
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1760
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4536
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3876
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2980
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:440
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3900
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1500
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4448
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4792
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3340
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4356
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3096
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1240
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4020
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5104
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2404
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1448
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2780
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4012
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4820
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3892
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1868
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3032
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1676
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2072
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5280
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:2976
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1956
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:2620
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1400
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2488
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4400
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4260
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5520
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2580
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2740
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1636
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2908
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1460
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
45f301c3be9008ed05760789a1c7a214

SHA1
4384f8a3ff720de13de448b12951620534901d7e

SHA256
b532e3a4c306cb80b3185675f251cdc0ca7dfdeee61e70d832a1d119c6382aee

SHA512
4195553da66a70fe1ef2b064bb310c91d2c21cdabbc41c9c9be378b8760ab1e78dacf77ee698d87825408595ef37e55a898ce0e9a4cd1c9e628d702bff04af04

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
a6393a8421a1c06f0c5cacd52a745427

SHA1
54a716e7696c54f58774e5441233d23e31b1c9e1

SHA256
81a5e2d6e189335fc9cbc2427f9b3f4d2482913ad655414d71eb5438bfe56815

SHA512
bf76b201b499d8890434538a86dde2f5520ebb8a0a057563237a8543bcc47e651fce4012505066611e8a5888ce86b8485a2375c3dd5d7ec3353eef98edda5094

Download Submit
memory/64-1982-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/472-3686-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/560-2413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/628-2675-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/672-1355-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/808-1208-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/956-1357-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/968-2854-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-1080-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1056-1977-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1208-2196-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1436-2189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-3784-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-3675-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-1971-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-2129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-1981-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1612-1082-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1612-2077-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1676-4540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1676-4633-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1712-4069-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1732-1209-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1760-1992-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1860-85-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1860-1993-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1860-90-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1868-4378-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1868-4280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1904-1732-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1964-2757-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-2927-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-2736-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2144-2580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2144-2595-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2328-2384-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2524-2834-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2772-2081-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2784-2565-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2784-2719-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2796-1545-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2944-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2944-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2944-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2944-77-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/3096-47-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3096-0-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3096-43-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3096-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3252-2575-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3384-2168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3408-2402-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3452-1210-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3492-874-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3492-1972-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3652-1733-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3740-2178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3792-4988-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3928-1356-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3992-1731-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4020-3364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4020-3260-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4056-2664-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-1897-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4080-4404-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4140-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4140-873-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-2299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-2313-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4276-1081-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4276-1995-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4356-3057-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4356-2964-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4376-2744-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4456-1970-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4472-1898-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4516-2391-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4520-2209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-2079-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4568-1547-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4800-3271-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-3984-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-4121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4888-1546-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5108-2846-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5148-4919-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5280-4737-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5288-4743-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5436-4754-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5480-4764-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5520-4979-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5568-4771-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5628-4782-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5628-4785-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5652-5000-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5696-4791-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5696-4796-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5760-5011-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5776-4807-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5828-5019-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5844-4820-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5912-4838-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5992-5082-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download