pony | 35e971f3c8c717508409ba181ba3a770c4d0f63ea5cd69e0ddc0a4e27b628490

Analysis

max time kernel
133s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
Size

2.2MB
MD5

667082ff39a8a8c1e2fc1fa198fe34ff
SHA1

1e06af67016b42647d3f85c8ceb7e8a1000ed5a8
SHA256

35e971f3c8c717508409ba181ba3a770c4d0f63ea5cd69e0ddc0a4e27b628490
SHA512

14a7a117d0ebabea76b701a34c3cc384afd898d565a01e17c2cd52059153a10e62abc9fe13356914d8f9a413d9c03a57c1b7318c136e8cb07aa6eb9076eaf90e
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZA:0UzeyQMS4DqodCnoe+iitjWww8

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

pid	process
1812	explorer.exe
672	explorer.exe
4476	spoolsv.exe
2484	spoolsv.exe
1204	spoolsv.exe
1620	spoolsv.exe
3496	spoolsv.exe
2056	spoolsv.exe
3952	spoolsv.exe
4912	spoolsv.exe
552	spoolsv.exe
4772	spoolsv.exe
3492	spoolsv.exe
2552	spoolsv.exe
2160	spoolsv.exe
2180	spoolsv.exe
3028	spoolsv.exe
4696	spoolsv.exe
3192	spoolsv.exe
3120	spoolsv.exe
2272	spoolsv.exe
4092	spoolsv.exe
4880	spoolsv.exe
4076	spoolsv.exe
896	spoolsv.exe
1716	spoolsv.exe
1712	spoolsv.exe
1760	spoolsv.exe
1532	spoolsv.exe
3148	spoolsv.exe
4192	spoolsv.exe
3196	spoolsv.exe
3328	spoolsv.exe
432	explorer.exe
3856	spoolsv.exe
116	spoolsv.exe
2708	spoolsv.exe
228	spoolsv.exe
4412	spoolsv.exe
3500	spoolsv.exe
3812	spoolsv.exe
4936	explorer.exe
1876	spoolsv.exe
4992	spoolsv.exe
3948	spoolsv.exe
376	spoolsv.exe
4356	spoolsv.exe
4340	spoolsv.exe
2396	explorer.exe
1040	spoolsv.exe
1304	spoolsv.exe
4012	spoolsv.exe
4612	spoolsv.exe
3352	spoolsv.exe
2300	spoolsv.exe
4876	spoolsv.exe
3280	explorer.exe
3636	spoolsv.exe
4440	spoolsv.exe
3180	spoolsv.exe
2168	spoolsv.exe
3948	spoolsv.exe
1956	explorer.exe
4160	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 42 IoCs

Processes:

667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exe

description	pid	process	target process
PID 228 set thread context of 768	228	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
PID 1812 set thread context of 672	1812	explorer.exe	explorer.exe
PID 4476 set thread context of 3328	4476	spoolsv.exe	spoolsv.exe
PID 2484 set thread context of 3856	2484	spoolsv.exe	spoolsv.exe
PID 1204 set thread context of 116	1204	spoolsv.exe	spoolsv.exe
PID 1620 set thread context of 2708	1620	spoolsv.exe	spoolsv.exe
PID 3496 set thread context of 4412	3496	spoolsv.exe	spoolsv.exe
PID 2056 set thread context of 3500	2056	spoolsv.exe	spoolsv.exe
PID 3952 set thread context of 3812	3952	spoolsv.exe	spoolsv.exe
PID 4912 set thread context of 1876	4912	spoolsv.exe	spoolsv.exe
PID 552 set thread context of 4992	552	spoolsv.exe	spoolsv.exe
PID 4772 set thread context of 3948	4772	spoolsv.exe	spoolsv.exe
PID 3492 set thread context of 4356	3492	spoolsv.exe	spoolsv.exe
PID 2552 set thread context of 4340	2552	spoolsv.exe	spoolsv.exe
PID 2160 set thread context of 1040	2160	spoolsv.exe	spoolsv.exe
PID 2180 set thread context of 1304	2180	spoolsv.exe	spoolsv.exe
PID 3028 set thread context of 4612	3028	spoolsv.exe	spoolsv.exe
PID 4696 set thread context of 3352	4696	spoolsv.exe	spoolsv.exe
PID 3192 set thread context of 4876	3192	spoolsv.exe	spoolsv.exe
PID 3120 set thread context of 3636	3120	spoolsv.exe	spoolsv.exe
PID 2272 set thread context of 4440	2272	spoolsv.exe	spoolsv.exe
PID 4092 set thread context of 2168	4092	spoolsv.exe	spoolsv.exe
PID 4880 set thread context of 3948	4880	spoolsv.exe	spoolsv.exe
PID 4076 set thread context of 4160	4076	spoolsv.exe	spoolsv.exe
PID 896 set thread context of 4412	896	spoolsv.exe	spoolsv.exe
PID 1716 set thread context of 4904	1716	spoolsv.exe	spoolsv.exe
PID 1712 set thread context of 5080	1712	spoolsv.exe	spoolsv.exe
PID 1760 set thread context of 668	1760	spoolsv.exe	spoolsv.exe
PID 1532 set thread context of 4792	1532	spoolsv.exe	spoolsv.exe
PID 3148 set thread context of 4268	3148	spoolsv.exe	spoolsv.exe
PID 4192 set thread context of 2416	4192	spoolsv.exe	spoolsv.exe
PID 3196 set thread context of 3400	3196	spoolsv.exe	spoolsv.exe
PID 432 set thread context of 5108	432	explorer.exe	explorer.exe
PID 228 set thread context of 1356	228	spoolsv.exe	spoolsv.exe
PID 4936 set thread context of 5208	4936	explorer.exe	explorer.exe
PID 376 set thread context of 5660	376	spoolsv.exe	spoolsv.exe
PID 2396 set thread context of 5488	2396	explorer.exe	explorer.exe
PID 4012 set thread context of 5584	4012	spoolsv.exe	spoolsv.exe
PID 2300 set thread context of 624	2300	spoolsv.exe	spoolsv.exe
PID 3280 set thread context of 5352	3280	explorer.exe	explorer.exe
PID 3180 set thread context of 6076	3180	spoolsv.exe	spoolsv.exe
PID 1956 set thread context of 4480	1956	explorer.exe	explorer.exe

Drops file in Windows directory 64 IoCs

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exeexplorer.exe

pid	process
768	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
768	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

672 explorer.exe

pid	process
672	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
768	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
768	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
672	explorer.exe
3328	spoolsv.exe
3328	spoolsv.exe
3856	spoolsv.exe
3856	spoolsv.exe
116	spoolsv.exe
116	spoolsv.exe
2708	spoolsv.exe
2708	spoolsv.exe
4412	spoolsv.exe
4412	spoolsv.exe
3500	spoolsv.exe
3500	spoolsv.exe
3812	spoolsv.exe
3812	spoolsv.exe
1876	spoolsv.exe
1876	spoolsv.exe
4992	spoolsv.exe
4992	spoolsv.exe
3948	spoolsv.exe
3948	spoolsv.exe
4356	spoolsv.exe
4356	spoolsv.exe
4340	spoolsv.exe
4340	spoolsv.exe
1040	spoolsv.exe
1040	spoolsv.exe
1304	spoolsv.exe
1304	spoolsv.exe
4612	spoolsv.exe
4612	spoolsv.exe
3352	spoolsv.exe
3352	spoolsv.exe
4876	spoolsv.exe
4876	spoolsv.exe
3636	spoolsv.exe
3636	spoolsv.exe
4440	spoolsv.exe
4440	spoolsv.exe
2168	spoolsv.exe
2168	spoolsv.exe
3948	spoolsv.exe
3948	spoolsv.exe
4160	spoolsv.exe
4160	spoolsv.exe
4412	spoolsv.exe
4412	spoolsv.exe
4904	spoolsv.exe
4904	spoolsv.exe
5080	spoolsv.exe
5080	spoolsv.exe
668	spoolsv.exe
668	spoolsv.exe
4792	spoolsv.exe
4792	spoolsv.exe
4268	spoolsv.exe
4268	spoolsv.exe
2416	spoolsv.exe
2416	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 228 wrote to memory of 3140	228	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe	splwow64.exe
PID 228 wrote to memory of 3140	228	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe	splwow64.exe
PID 228 wrote to memory of 768	228	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
PID 228 wrote to memory of 768	228	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
PID 228 wrote to memory of 768	228	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
PID 228 wrote to memory of 768	228	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
PID 228 wrote to memory of 768	228	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
PID 768 wrote to memory of 1812	768	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe	explorer.exe
PID 768 wrote to memory of 1812	768	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe	explorer.exe
PID 768 wrote to memory of 1812	768	667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe	explorer.exe
PID 1812 wrote to memory of 672	1812	explorer.exe	explorer.exe
PID 1812 wrote to memory of 672	1812	explorer.exe	explorer.exe
PID 1812 wrote to memory of 672	1812	explorer.exe	explorer.exe
PID 1812 wrote to memory of 672	1812	explorer.exe	explorer.exe
PID 1812 wrote to memory of 672	1812	explorer.exe	explorer.exe
PID 672 wrote to memory of 4476	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 4476	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 4476	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2484	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2484	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2484	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 1204	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 1204	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 1204	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 1620	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 1620	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 1620	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 3496	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 3496	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 3496	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2056	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2056	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2056	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 3952	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 3952	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 3952	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 4912	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 4912	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 4912	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 552	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 552	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 552	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 4772	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 4772	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 4772	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 3492	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 3492	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 3492	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2552	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2552	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2552	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2160	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2160	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2160	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2180	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2180	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 2180	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 3028	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 3028	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 3028	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 4696	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 4696	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 4696	672	explorer.exe	spoolsv.exe
PID 672 wrote to memory of 3192	672	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3140
- C:\Users\Admin\AppData\Local\Temp\667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\667082ff39a8a8c1e2fc1fa198fe34ff_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:768
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4476
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3328
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:432
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2484
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1204
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1620
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3496
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2056
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3952
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3812
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4936
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4912
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:552
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4772
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3492
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2552
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4340
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2396
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2160
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2180
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3028
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4696
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3192
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4876
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3280
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3120
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2272
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4092
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4880
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3948
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1956
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4076
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:896
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1716
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1712
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5080
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2332
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1760
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1532
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3148
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4268
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4916
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4192
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3196
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3400
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2904
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:228
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1356
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1056
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:376
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5660
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4012
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5584
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2300
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:624
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3180
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6076
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:6108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4840
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:536
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:776
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4784
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5076
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3160
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:568
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4236
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4540
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1144
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:832
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3376
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2856
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:6064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:264
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5188
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:6008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
b8856744bb190cc367c4a0a6257ae2e5

SHA1
159198df62f39f72d74d7b9e1c4e65dbb8a13d5e

SHA256
887c0cb946220d3ec3ec6c9762a8739e900e60fcb58c2212e25a54910ebe445f

SHA512
9b26a15c2859ed172c15bbfe399b06ae439851320ad3c81256b99efd0a7dcf46d8e49b57d3aea564f7e3343caf58c2be380b4683249b4dd54d7af839d9a896d8

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
63a2810bc9d3878d29ad29109722870b

SHA1
1581062cc27f8a2a0c3c89d386b070993ff7ab90

SHA256
90fab49a904f36fbe415a466854c4961220da78d63a98cfac476e92a0e44e08a

SHA512
0b11d6ae6d88ae045e8acdb7e842bebbe81ff072747856b00921c0f542a976a0fbe82d574754a2660a0c75d0df0c0c67fddf470114e317c1f43b1a2cfda0b76b

Download Submit
memory/116-2031-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/228-42-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/228-0-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/228-38-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/228-36-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/536-4874-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/552-1408-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/624-4450-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/668-3008-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/672-884-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/672-94-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/748-5076-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/768-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/768-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/768-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/768-77-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/896-2050-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1040-2402-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1040-2406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1204-2032-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1204-1047-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1304-2417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1304-2412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1356-3903-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1356-4060-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1620-1048-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1812-95-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1812-90-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2056-1195-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2068-4868-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2160-1584-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2168-2736-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2180-1723-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2272-2005-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2412-5140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2412-5144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-3162-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-2021-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2484-1046-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2552-1583-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2708-2057-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2856-5131-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3028-1724-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3120-1930-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3192-1929-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3328-2187-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3328-2010-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3352-2500-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3384-5184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3400-3468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3400-3582-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3492-1582-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3496-1194-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3500-2122-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3636-2639-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3684-4958-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3812-2215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3812-2376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3856-2019-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-2247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-2833-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-2243-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-2973-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3952-1196-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4076-2030-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4092-2008-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4132-4929-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4160-2843-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-3143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4340-2550-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4356-2338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4356-2328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4412-2852-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4412-2112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4440-2651-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4476-2011-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4476-885-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4480-4609-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4492-4909-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4492-4907-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-1928-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4772-1409-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4792-3017-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-2816-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-2632-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4880-2018-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4904-2873-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4912-1407-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4992-2233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5080-3081-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5080-3000-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-3675-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5208-3988-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5252-5241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5352-4460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5364-4900-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5488-4288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5584-4352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5660-4190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5660-4077-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5924-4948-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6076-4727-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download