pony | 0ff0e41ef25b9395bf7e81efadcbc326d32f496e688032d035bc4f18f0c91927

Analysis

max time kernel
131s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
Size

2.2MB
MD5

69f562b3cd8d3942b2cafcb42040a22e
SHA1

57639918b4297d2341f278d9e6b7fdcc1babf812
SHA256

0ff0e41ef25b9395bf7e81efadcbc326d32f496e688032d035bc4f18f0c91927
SHA512

91dcbba813ff6381925000ef9f00fe1d0de635d9d79072669e9b23dc18f7dc7c9e8f7d53e9630bdb87d3562f204284ea54091f7df9ee75373be0f3e19bee9dd3
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZz:0UzeyQMS4DqodCnoe+iitjWwwn

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3800	explorer.exe
1516	explorer.exe
1748	spoolsv.exe
2460	spoolsv.exe
2140	spoolsv.exe
220	spoolsv.exe
2112	spoolsv.exe
3756	spoolsv.exe
3468	spoolsv.exe
1476	spoolsv.exe
2528	spoolsv.exe
2000	spoolsv.exe
1296	spoolsv.exe
2016	spoolsv.exe
4500	spoolsv.exe
1876	spoolsv.exe
3784	spoolsv.exe
2824	spoolsv.exe
4872	spoolsv.exe
4860	spoolsv.exe
2764	spoolsv.exe
1824	spoolsv.exe
1816	spoolsv.exe
4724	spoolsv.exe
1316	spoolsv.exe
1148	spoolsv.exe
396	spoolsv.exe
2948	spoolsv.exe
468	spoolsv.exe
4712	spoolsv.exe
5072	spoolsv.exe
868	spoolsv.exe
4392	explorer.exe
3664	spoolsv.exe
2484	spoolsv.exe
3016	spoolsv.exe
3668	spoolsv.exe
3056	spoolsv.exe
3628	spoolsv.exe
2472	spoolsv.exe
3672	spoolsv.exe
2812	explorer.exe
1236	spoolsv.exe
2400	spoolsv.exe
2816	spoolsv.exe
1080	spoolsv.exe
1472	spoolsv.exe
4696	spoolsv.exe
3608	spoolsv.exe
2272	spoolsv.exe
3844	explorer.exe
2360	spoolsv.exe
4024	spoolsv.exe
3188	spoolsv.exe
2756	spoolsv.exe
400	spoolsv.exe
4024	explorer.exe
3656	spoolsv.exe
1680	spoolsv.exe
4364	spoolsv.exe
3988	explorer.exe
1444	spoolsv.exe
3900	spoolsv.exe
4708	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 39 IoCs

Processes:

69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 3668 set thread context of 1300	3668	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
PID 3800 set thread context of 1516	3800	explorer.exe	explorer.exe
PID 1748 set thread context of 868	1748	spoolsv.exe	spoolsv.exe
PID 2460 set thread context of 3664	2460	spoolsv.exe	spoolsv.exe
PID 2140 set thread context of 2484	2140	spoolsv.exe	spoolsv.exe
PID 220 set thread context of 3016	220	spoolsv.exe	spoolsv.exe
PID 2112 set thread context of 3056	2112	spoolsv.exe	spoolsv.exe
PID 3756 set thread context of 3628	3756	spoolsv.exe	spoolsv.exe
PID 3468 set thread context of 2472	3468	spoolsv.exe	spoolsv.exe
PID 1476 set thread context of 3672	1476	spoolsv.exe	spoolsv.exe
PID 2528 set thread context of 1236	2528	spoolsv.exe	spoolsv.exe
PID 2000 set thread context of 2816	2000	spoolsv.exe	spoolsv.exe
PID 1296 set thread context of 1080	1296	spoolsv.exe	spoolsv.exe
PID 2016 set thread context of 1472	2016	spoolsv.exe	spoolsv.exe
PID 4500 set thread context of 4696	4500	spoolsv.exe	spoolsv.exe
PID 1876 set thread context of 2272	1876	spoolsv.exe	spoolsv.exe
PID 3784 set thread context of 2360	3784	spoolsv.exe	spoolsv.exe
PID 2824 set thread context of 4024	2824	spoolsv.exe	explorer.exe
PID 4872 set thread context of 3188	4872	spoolsv.exe	spoolsv.exe
PID 4860 set thread context of 400	4860	spoolsv.exe	spoolsv.exe
PID 2764 set thread context of 3656	2764	spoolsv.exe	spoolsv.exe
PID 1824 set thread context of 1680	1824	spoolsv.exe	spoolsv.exe
PID 1816 set thread context of 4364	1816	spoolsv.exe	spoolsv.exe
PID 4724 set thread context of 3900	4724	spoolsv.exe	spoolsv.exe
PID 1316 set thread context of 4708	1316	spoolsv.exe	spoolsv.exe
PID 1148 set thread context of 1492	1148	spoolsv.exe	spoolsv.exe
PID 396 set thread context of 2108	396	spoolsv.exe	spoolsv.exe
PID 2948 set thread context of 4876	2948	spoolsv.exe	spoolsv.exe
PID 468 set thread context of 744	468	spoolsv.exe	spoolsv.exe
PID 4712 set thread context of 1016	4712	spoolsv.exe	spoolsv.exe
PID 5072 set thread context of 1668	5072	spoolsv.exe	spoolsv.exe
PID 4392 set thread context of 1084	4392	explorer.exe	explorer.exe
PID 3668 set thread context of 1452	3668	spoolsv.exe	spoolsv.exe
PID 2812 set thread context of 1732	2812	explorer.exe	explorer.exe
PID 2400 set thread context of 832	2400	spoolsv.exe	spoolsv.exe
PID 3608 set thread context of 4956	3608	spoolsv.exe	spoolsv.exe
PID 3844 set thread context of 1732	3844	explorer.exe	explorer.exe
PID 4024 set thread context of 4996	4024	explorer.exe	explorer.exe
PID 2756 set thread context of 3920	2756	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exe69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exeexplorer.exe

pid	process
1300	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
1300	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1516 explorer.exe

pid	process
1516	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1300	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
1300	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
1516	explorer.exe
868	spoolsv.exe
868	spoolsv.exe
3664	spoolsv.exe
3664	spoolsv.exe
2484	spoolsv.exe
2484	spoolsv.exe
3016	spoolsv.exe
3016	spoolsv.exe
3056	spoolsv.exe
3056	spoolsv.exe
3628	spoolsv.exe
3628	spoolsv.exe
2472	spoolsv.exe
2472	spoolsv.exe
3672	spoolsv.exe
3672	spoolsv.exe
1236	spoolsv.exe
1236	spoolsv.exe
2816	spoolsv.exe
2816	spoolsv.exe
1080	spoolsv.exe
1080	spoolsv.exe
1472	spoolsv.exe
1472	spoolsv.exe
4696	spoolsv.exe
4696	spoolsv.exe
2272	spoolsv.exe
2272	spoolsv.exe
2360	spoolsv.exe
2360	spoolsv.exe
4024	spoolsv.exe
4024	spoolsv.exe
3188	spoolsv.exe
3188	spoolsv.exe
400	spoolsv.exe
400	spoolsv.exe
3656	spoolsv.exe
3656	spoolsv.exe
1680	spoolsv.exe
1680	spoolsv.exe
4364	spoolsv.exe
4364	spoolsv.exe
3900	spoolsv.exe
3900	spoolsv.exe
4708	spoolsv.exe
4708	spoolsv.exe
1492	spoolsv.exe
1492	spoolsv.exe
2108	spoolsv.exe
2108	spoolsv.exe
4876	spoolsv.exe
4876	spoolsv.exe
744	spoolsv.exe
744	spoolsv.exe
1016	spoolsv.exe
1016	spoolsv.exe
1668	spoolsv.exe
1668	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3668 wrote to memory of 2960	3668	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe	splwow64.exe
PID 3668 wrote to memory of 2960	3668	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe	splwow64.exe
PID 3668 wrote to memory of 1300	3668	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
PID 3668 wrote to memory of 1300	3668	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
PID 3668 wrote to memory of 1300	3668	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
PID 3668 wrote to memory of 1300	3668	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
PID 3668 wrote to memory of 1300	3668	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
PID 1300 wrote to memory of 3800	1300	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe	explorer.exe
PID 1300 wrote to memory of 3800	1300	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe	explorer.exe
PID 1300 wrote to memory of 3800	1300	69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe	explorer.exe
PID 3800 wrote to memory of 1516	3800	explorer.exe	explorer.exe
PID 3800 wrote to memory of 1516	3800	explorer.exe	explorer.exe
PID 3800 wrote to memory of 1516	3800	explorer.exe	explorer.exe
PID 3800 wrote to memory of 1516	3800	explorer.exe	explorer.exe
PID 3800 wrote to memory of 1516	3800	explorer.exe	explorer.exe
PID 1516 wrote to memory of 1748	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 1748	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 1748	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2460	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2460	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2460	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2140	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2140	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2140	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 220	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 220	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 220	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2112	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2112	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2112	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 3756	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 3756	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 3756	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 3468	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 3468	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 3468	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 1476	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 1476	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 1476	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2528	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2528	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2528	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2000	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2000	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2000	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 1296	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 1296	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 1296	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2016	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2016	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2016	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 4500	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 4500	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 4500	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 1876	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 1876	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 1876	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 3784	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 3784	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 3784	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2824	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2824	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 2824	1516	explorer.exe	spoolsv.exe
PID 1516 wrote to memory of 4872	1516	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\69f562b3cd8d3942b2cafcb42040a22eJaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1300
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:868
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4392
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2460
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2140
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:220
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2112
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3756
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3468
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1476
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3672
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2812
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2528
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2000
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1296
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2016
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4500
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3844
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3784
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2824
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4872
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4860
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:400
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4024
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2764
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1824
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1816
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4364
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3988
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4724
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1316
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1148
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1492
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4600
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:396
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2948
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:468
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4712
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1016
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1312
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5072
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1668
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3540
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3668
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1452
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3000
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2400
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:832
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3608
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4956
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2756
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3920
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1444
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5328
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5096
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5172
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2600
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1940
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1640
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3936
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3552
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5092
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1304
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2404
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3448
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4528
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4136
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1744
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4508
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
f8de61b597b72e0964c64a4f1be39f32

SHA1
abd9ab9a8ec5aab5dfaefc57f6de617e7ea6edf3

SHA256
eb4800c67360ac753a5a27b95d2ad93b3302c0308cbe76168703d2bcbd4df7cc

SHA512
f6faa9650df33a4276d7f63de8bce16e4f34015233dcc562bd02bcfa8dfc4f3823e679bab71965dd91c49e3b2a8110473a8a496302e0d2932fc5032ade2ab173

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
15da68378e96c6702a033c5d72bb2299

SHA1
7e20cc60a970684d8739ee5553b60ddd9735f055

SHA256
8095f4d337133148f191829461cf700ffa290ba401b3249b2029c1a7ac44569d

SHA512
15473894d8709a87e4d5e4c38941e8013f1993a94c0a1dc8fa6bd88639a4443c85819631bb994a0f7909360d1989e60f889b1ea24c771066048144d2d07777a8

Download Submit
memory/220-1906-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/220-973-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/400-2603-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-2535-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/680-4992-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/744-2862-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/832-3896-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/832-3995-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-1859-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/868-2071-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1016-3069-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1016-2956-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1080-2191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1084-3503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1236-2098-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1296-1457-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1300-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1300-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1300-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-1900-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1356-4826-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1452-3639-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1452-3743-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1472-2198-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1476-1272-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1492-2913-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1516-864-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1516-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-3420-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-3352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1680-2553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1732-3889-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1732-4073-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1744-5096-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1748-1860-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1748-865-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1816-1879-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1824-1863-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1876-1608-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2000-1456-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2016-1458-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2108-2835-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2112-1154-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2140-972-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2140-1882-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2272-2343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2272-2517-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-1868-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2460-971-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2472-1997-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-1881-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-1273-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2764-1858-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2816-2182-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-1773-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3016-1899-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3016-1907-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/3056-1976-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3188-2377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3468-1156-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3628-1986-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3656-2544-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3664-1870-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3668-28-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/3668-26-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3668-32-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3668-0-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/3672-2260-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3672-2090-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3756-1155-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3784-1609-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3800-74-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3800-79-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3900-2674-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3920-4299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4024-2367-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4180-4953-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-2748-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-2636-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4500-1607-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4696-2210-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4708-2682-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4724-1880-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4860-1775-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4872-1774-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4876-2853-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-2856-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4956-4062-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4956-4196-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4996-4289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5160-4960-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5160-4962-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5172-4801-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5172-5072-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5204-4981-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5224-4568-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5328-4582-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5328-4705-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5336-4817-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5376-5104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5644-4838-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5644-4835-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5700-4847-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5808-4856-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5828-5089-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5860-4878-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6140-4938-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download