pony | 8081a64128437204e816d7fcf56e4482e75811f5bd3ad6bc8867661c496afb78

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
Size

2.2MB
MD5

7a72f2917272bb59494b03649b3b4200
SHA1

55860f1e6fb27f513c55650a55b0b51aeebfd11c
SHA256

8081a64128437204e816d7fcf56e4482e75811f5bd3ad6bc8867661c496afb78
SHA512

5045bf98c58a551b30df414a8780fcbf4c5c8ce17f102a9a92808b380662e9ceeb6266cd7596d08a2510da648efbbdb4363c75376709d78e6552fd9a0425502e
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZM:0UzeyQMS4DqodCnoe+iitjWwww

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Drops startup file 2 IoCs

Processes:

7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe

pid	process
4052	explorer.exe
3208	explorer.exe
3400	spoolsv.exe
2916	spoolsv.exe
712	spoolsv.exe
4152	spoolsv.exe
4264	spoolsv.exe
1172	spoolsv.exe
4456	spoolsv.exe
1176	spoolsv.exe
2868	spoolsv.exe
4808	spoolsv.exe
3612	spoolsv.exe
216	spoolsv.exe
1016	spoolsv.exe
4300	spoolsv.exe
2896	spoolsv.exe
2076	spoolsv.exe
1996	spoolsv.exe
4788	spoolsv.exe
540	spoolsv.exe
8	spoolsv.exe
3228	spoolsv.exe
3232	spoolsv.exe
624	spoolsv.exe
4524	spoolsv.exe
364	spoolsv.exe
4740	spoolsv.exe
2044	spoolsv.exe
4204	spoolsv.exe
660	spoolsv.exe
836	spoolsv.exe
408	spoolsv.exe
536	spoolsv.exe
2720	spoolsv.exe
1564	spoolsv.exe
3708	spoolsv.exe
2488	explorer.exe
3876	spoolsv.exe
948	spoolsv.exe
3660	spoolsv.exe
5104	spoolsv.exe
4036	spoolsv.exe
4888	explorer.exe
1164	spoolsv.exe
4268	spoolsv.exe
4052	spoolsv.exe
432	spoolsv.exe
3060	spoolsv.exe
1184	spoolsv.exe
4016	spoolsv.exe
2432	spoolsv.exe
3340	spoolsv.exe
4552	explorer.exe
4876	spoolsv.exe
2856	spoolsv.exe
1180	spoolsv.exe
532	spoolsv.exe
3212	spoolsv.exe
4196	spoolsv.exe
1440	spoolsv.exe
380	spoolsv.exe
4352	spoolsv.exe
4572	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 54 IoCs

Processes:

7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 3528 set thread context of 4384	3528	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
PID 4052 set thread context of 3208	4052	explorer.exe	explorer.exe
PID 3400 set thread context of 3708	3400	spoolsv.exe	spoolsv.exe
PID 2916 set thread context of 3876	2916	spoolsv.exe	spoolsv.exe
PID 712 set thread context of 948	712	spoolsv.exe	spoolsv.exe
PID 4152 set thread context of 5104	4152	spoolsv.exe	spoolsv.exe
PID 4264 set thread context of 4036	4264	spoolsv.exe	spoolsv.exe
PID 1172 set thread context of 1164	1172	spoolsv.exe	spoolsv.exe
PID 4456 set thread context of 4268	4456	spoolsv.exe	spoolsv.exe
PID 1176 set thread context of 4052	1176	spoolsv.exe	spoolsv.exe
PID 2868 set thread context of 432	2868	spoolsv.exe	spoolsv.exe
PID 4808 set thread context of 3060	4808	spoolsv.exe	spoolsv.exe
PID 3612 set thread context of 1184	3612	spoolsv.exe	spoolsv.exe
PID 216 set thread context of 2432	216	spoolsv.exe	spoolsv.exe
PID 1016 set thread context of 3340	1016	spoolsv.exe	spoolsv.exe
PID 4300 set thread context of 4876	4300	spoolsv.exe	spoolsv.exe
PID 2896 set thread context of 2856	2896	spoolsv.exe	spoolsv.exe
PID 2076 set thread context of 1180	2076	spoolsv.exe	spoolsv.exe
PID 1996 set thread context of 532	1996	spoolsv.exe	spoolsv.exe
PID 4788 set thread context of 3212	4788	spoolsv.exe	spoolsv.exe
PID 540 set thread context of 4196	540	spoolsv.exe	spoolsv.exe
PID 8 set thread context of 380	8	spoolsv.exe	spoolsv.exe
PID 3228 set thread context of 4352	3228	spoolsv.exe	spoolsv.exe
PID 3232 set thread context of 4580	3232	spoolsv.exe	spoolsv.exe
PID 624 set thread context of 3620	624	spoolsv.exe	spoolsv.exe
PID 4524 set thread context of 2788	4524	spoolsv.exe	spoolsv.exe
PID 364 set thread context of 4968	364	spoolsv.exe	spoolsv.exe
PID 4740 set thread context of 2008	4740	spoolsv.exe	spoolsv.exe
PID 2044 set thread context of 4956	2044	spoolsv.exe	spoolsv.exe
PID 4204 set thread context of 4480	4204	spoolsv.exe	spoolsv.exe
PID 660 set thread context of 4616	660	spoolsv.exe	spoolsv.exe
PID 836 set thread context of 3396	836	spoolsv.exe	spoolsv.exe
PID 408 set thread context of 2648	408	spoolsv.exe	spoolsv.exe
PID 536 set thread context of 3196	536	spoolsv.exe	spoolsv.exe
PID 2720 set thread context of 2260	2720	spoolsv.exe	spoolsv.exe
PID 1564 set thread context of 5024	1564	spoolsv.exe	spoolsv.exe
PID 2488 set thread context of 4600	2488	explorer.exe	explorer.exe
PID 3660 set thread context of 1224	3660	spoolsv.exe	spoolsv.exe
PID 4888 set thread context of 4212	4888	explorer.exe	explorer.exe
PID 4016 set thread context of 908	4016	spoolsv.exe	spoolsv.exe
PID 4552 set thread context of 2884	4552	explorer.exe	explorer.exe
PID 1440 set thread context of 5000	1440	spoolsv.exe	spoolsv.exe
PID 4572 set thread context of 716	4572	explorer.exe	explorer.exe
PID 1508 set thread context of 3324	1508	spoolsv.exe	spoolsv.exe
PID 4464 set thread context of 320	4464	explorer.exe	explorer.exe
PID 1652 set thread context of 4660	1652	spoolsv.exe	spoolsv.exe
PID 4388 set thread context of 3048	4388	explorer.exe	explorer.exe
PID 944 set thread context of 5016	944	spoolsv.exe	spoolsv.exe
PID 696 set thread context of 4844	696	spoolsv.exe	spoolsv.exe
PID 512 set thread context of 3576	512	explorer.exe	explorer.exe
PID 4476 set thread context of 1404	4476	spoolsv.exe	spoolsv.exe
PID 1588 set thread context of 716	1588	spoolsv.exe	spoolsv.exe
PID 4376 set thread context of 3028	4376	spoolsv.exe	spoolsv.exe
PID 3100 set thread context of 4008	3100	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exeexplorer.exe

pid	process
4384	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
4384	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3208 explorer.exe

pid	process
3208	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
4384	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
4384	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3208	explorer.exe
3708	spoolsv.exe
3708	spoolsv.exe
3876	spoolsv.exe
3876	spoolsv.exe
948	spoolsv.exe
948	spoolsv.exe
5104	spoolsv.exe
5104	spoolsv.exe
4036	spoolsv.exe
4036	spoolsv.exe
1164	spoolsv.exe
1164	spoolsv.exe
4268	spoolsv.exe
4268	spoolsv.exe
4052	spoolsv.exe
4052	spoolsv.exe
432	spoolsv.exe
432	spoolsv.exe
3060	spoolsv.exe
3060	spoolsv.exe
1184	spoolsv.exe
1184	spoolsv.exe
2432	spoolsv.exe
2432	spoolsv.exe
3340	spoolsv.exe
3340	spoolsv.exe
4876	spoolsv.exe
4876	spoolsv.exe
2856	spoolsv.exe
2856	spoolsv.exe
1180	spoolsv.exe
1180	spoolsv.exe
532	spoolsv.exe
532	spoolsv.exe
3212	spoolsv.exe
3212	spoolsv.exe
4196	spoolsv.exe
4196	spoolsv.exe
380	spoolsv.exe
380	spoolsv.exe
4352	spoolsv.exe
4352	spoolsv.exe
4580	spoolsv.exe
4580	spoolsv.exe
3620	spoolsv.exe
3620	spoolsv.exe
2788	spoolsv.exe
2788	spoolsv.exe
4968	spoolsv.exe
4968	spoolsv.exe
2008	spoolsv.exe
2008	spoolsv.exe
4956	spoolsv.exe
4956	spoolsv.exe
4480	spoolsv.exe
4480	spoolsv.exe
4616	spoolsv.exe
4616	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3528 wrote to memory of 3640	3528	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe	splwow64.exe
PID 3528 wrote to memory of 3640	3528	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe	splwow64.exe
PID 3528 wrote to memory of 4384	3528	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
PID 3528 wrote to memory of 4384	3528	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
PID 3528 wrote to memory of 4384	3528	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
PID 3528 wrote to memory of 4384	3528	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
PID 3528 wrote to memory of 4384	3528	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
PID 4384 wrote to memory of 4052	4384	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe	explorer.exe
PID 4384 wrote to memory of 4052	4384	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe	explorer.exe
PID 4384 wrote to memory of 4052	4384	7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe	explorer.exe
PID 4052 wrote to memory of 3208	4052	explorer.exe	explorer.exe
PID 4052 wrote to memory of 3208	4052	explorer.exe	explorer.exe
PID 4052 wrote to memory of 3208	4052	explorer.exe	explorer.exe
PID 4052 wrote to memory of 3208	4052	explorer.exe	explorer.exe
PID 4052 wrote to memory of 3208	4052	explorer.exe	explorer.exe
PID 3208 wrote to memory of 3400	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 3400	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 3400	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 2916	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 2916	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 2916	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 712	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 712	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 712	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4152	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4152	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4152	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4264	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4264	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4264	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 1172	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 1172	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 1172	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4456	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4456	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4456	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 1176	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 1176	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 1176	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 2868	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 2868	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 2868	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4808	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4808	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4808	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 3612	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 3612	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 3612	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 216	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 216	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 216	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 1016	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 1016	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 1016	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4300	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4300	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 4300	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 2896	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 2896	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 2896	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 2076	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 2076	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 2076	3208	explorer.exe	spoolsv.exe
PID 3208 wrote to memory of 1996	3208	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3640
- C:\Users\Admin\AppData\Local\Temp\7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7a72f2917272bb59494b03649b3b4200_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4384
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3400
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3708
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2488
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2916
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:712
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4152
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4264
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4036
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4888
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1172
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4456
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1176
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2868
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4808
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3612
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:216
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1016
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3340
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4552
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4300
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2896
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2076
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1996
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4788
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:540
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:8
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3228
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4352
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4572
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3232
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:624
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4524
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:364
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4740
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2044
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4204
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4480
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4464
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:660
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:836
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:408
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:536
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2720
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2260
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4388
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1564
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5024
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:512
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3660
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1224
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3572
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4016
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:908
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1440
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5000
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1508
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3324
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1652
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:944
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:696
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4476
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1588
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:716
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4376
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3100
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4008
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4032
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4188
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4292
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3348
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
bcba79826fa4a6191f92a7ae66e05806

SHA1
113a25a3af779fd2b4b966420ecad2164f0dcdf8

SHA256
1fc3d571d552af60df98a08071d0e94599fad27b6221ea89b7967900e598a343

SHA512
950d6309f418287eb4cb79f15e020d8d63cc43e90fd6ad1bf2db92759c174bd5c052d9acea25ad95b4ca0628976640b369c69ea83c5c8978cd73858a6f26405a

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
495ef460cf50cb6e4510bfb6bf4c2c5a

SHA1
1744fa8ce8dea197fb2ca77859a8c841a5967cd8

SHA256
789134772a019f6f6a7f966d84091c21cdefc24474e2519c568f9ad1a8c5e689

SHA512
716afd6348476bcf1427538c81f13366badb4f623f348eb0cf12d402ed0c99f797b614be61d86517751ade06aeb9cbdaa490db0ea3a035c37809078dfb33039c

Download Submit
memory/8-2352-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/216-1797-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/228-5702-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/320-5021-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/380-2906-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-2573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-2808-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-2180-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/624-2367-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/712-1193-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/712-2378-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/716-4750-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/716-5236-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/716-5393-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/908-4199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/948-2376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1016-1798-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1164-2542-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1172-1386-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1176-1588-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1180-2797-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1184-2654-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1224-3951-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1996-2178-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2076-2009-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2260-3370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2260-3467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2432-2738-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-3220-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2788-3027-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2856-2785-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2868-1589-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2884-4372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2896-2008-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2916-1192-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2916-2368-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3028-5314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3048-5040-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3060-2583-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3196-3230-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-975-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-2817-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3228-2354-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3232-2355-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3324-5010-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3336-5557-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3340-2946-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3340-2767-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3396-3210-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3400-2357-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3400-986-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3528-38-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3528-0-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3528-31-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3528-33-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/3576-5075-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3612-1796-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3620-3016-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-2356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-2514-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3876-2364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4008-5609-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4008-5482-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-2734-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4036-2532-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4052-75-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4052-81-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4052-2562-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4152-1194-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4196-2866-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4212-4022-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-1385-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4292-5775-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4300-2007-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4352-3170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4352-2999-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4384-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4384-37-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4384-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4456-1387-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4480-3348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-3192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4524-2377-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4580-3008-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4580-3006-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4600-3656-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4616-3199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4616-3203-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4788-2179-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4808-1590-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4912-5643-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4968-3053-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-4713-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-4599-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5024-3646-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5104-2464-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/5104-2466-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download