pony | 9ea0b290149d02f68ac501f6661fa23e80f4ddaa6a5fffb1de8508b313f4e437

Analysis

max time kernel
124s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
Size

2.2MB
MD5

582c0a3f9fb0c8d41a9e00290918c1db
SHA1

bb2fc3812fa9a9a11156fb75b893e2a987ac668c
SHA256

9ea0b290149d02f68ac501f6661fa23e80f4ddaa6a5fffb1de8508b313f4e437
SHA512

c08edfa38fa3b5412c456ccdd25033bd8f2a2930affe1aecee0ffdda280997fdfb75b520e51e124cbe14ac2005ccaf11c0eaab3da613f91aefaff4f794711027
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZD:0UzeyQMS4DqodCnoe+iitjWww3

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

pid	process
2492	explorer.exe
400	explorer.exe
1360	spoolsv.exe
4980	spoolsv.exe
1276	spoolsv.exe
4180	spoolsv.exe
4008	spoolsv.exe
640	spoolsv.exe
4528	spoolsv.exe
4572	spoolsv.exe
4620	spoolsv.exe
2604	spoolsv.exe
992	spoolsv.exe
3388	spoolsv.exe
2400	spoolsv.exe
3564	spoolsv.exe
1668	spoolsv.exe
4824	spoolsv.exe
1324	spoolsv.exe
1712	spoolsv.exe
552	spoolsv.exe
3404	spoolsv.exe
2568	spoolsv.exe
1388	spoolsv.exe
5096	spoolsv.exe
4592	spoolsv.exe
536	spoolsv.exe
1156	explorer.exe
3028	spoolsv.exe
2064	spoolsv.exe
3328	spoolsv.exe
1988	spoolsv.exe
3264	spoolsv.exe
4480	explorer.exe
1184	spoolsv.exe
8	spoolsv.exe
1804	spoolsv.exe
1472	spoolsv.exe
4036	explorer.exe
1404	spoolsv.exe
5108	spoolsv.exe
4532	spoolsv.exe
4324	spoolsv.exe
3112	explorer.exe
4320	spoolsv.exe
2028	spoolsv.exe
3328	spoolsv.exe
4680	explorer.exe
1392	spoolsv.exe
3432	spoolsv.exe
5004	spoolsv.exe
5076	spoolsv.exe
4656	explorer.exe
4356	spoolsv.exe
888	spoolsv.exe
4904	spoolsv.exe
2592	spoolsv.exe
2580	explorer.exe
1956	spoolsv.exe
636	spoolsv.exe
3948	spoolsv.exe
956	explorer.exe
1652	spoolsv.exe
376	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 32 IoCs

Processes:

582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exe

description	pid	process	target process
PID 2948 set thread context of 4796	2948	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
PID 2492 set thread context of 400	2492	explorer.exe	explorer.exe
PID 1360 set thread context of 536	1360	spoolsv.exe	spoolsv.exe
PID 4980 set thread context of 2064	4980	spoolsv.exe	spoolsv.exe
PID 1276 set thread context of 3328	1276	spoolsv.exe	spoolsv.exe
PID 4180 set thread context of 3264	4180	spoolsv.exe	spoolsv.exe
PID 4008 set thread context of 1184	4008	spoolsv.exe	spoolsv.exe
PID 640 set thread context of 8	640	spoolsv.exe	spoolsv.exe
PID 4528 set thread context of 1472	4528	spoolsv.exe	spoolsv.exe
PID 4572 set thread context of 1404	4572	spoolsv.exe	spoolsv.exe
PID 4620 set thread context of 5108	4620	spoolsv.exe	spoolsv.exe
PID 2604 set thread context of 4324	2604	spoolsv.exe	spoolsv.exe
PID 992 set thread context of 2028	992	spoolsv.exe	spoolsv.exe
PID 3388 set thread context of 3328	3388	spoolsv.exe	spoolsv.exe
PID 2400 set thread context of 1392	2400	spoolsv.exe	spoolsv.exe
PID 3564 set thread context of 5004	3564	spoolsv.exe	spoolsv.exe
PID 1668 set thread context of 5076	1668	spoolsv.exe	spoolsv.exe
PID 4824 set thread context of 4356	4824	spoolsv.exe	spoolsv.exe
PID 1324 set thread context of 888	1324	spoolsv.exe	spoolsv.exe
PID 1712 set thread context of 2592	1712	spoolsv.exe	spoolsv.exe
PID 552 set thread context of 1956	552	spoolsv.exe	spoolsv.exe
PID 3404 set thread context of 3948	3404	spoolsv.exe	spoolsv.exe
PID 2568 set thread context of 1652	2568	spoolsv.exe	spoolsv.exe
PID 1388 set thread context of 376	1388	spoolsv.exe	spoolsv.exe
PID 5096 set thread context of 3992	5096	spoolsv.exe	spoolsv.exe
PID 4592 set thread context of 860	4592	spoolsv.exe	spoolsv.exe
PID 3028 set thread context of 1600	3028	spoolsv.exe	spoolsv.exe
PID 1156 set thread context of 3468	1156	explorer.exe	explorer.exe
PID 1988 set thread context of 3412	1988	spoolsv.exe	spoolsv.exe
PID 4480 set thread context of 3284	4480	explorer.exe	explorer.exe
PID 1804 set thread context of 3304	1804	spoolsv.exe	spoolsv.exe
PID 4036 set thread context of 3980	4036	explorer.exe	explorer.exe

Drops file in Windows directory 57 IoCs

Processes:

spoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exe582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exeexplorer.exe

pid	process
4796	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
4796	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
4796	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
4796	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
400	explorer.exe
536	spoolsv.exe
536	spoolsv.exe
2064	spoolsv.exe
2064	spoolsv.exe
3328	spoolsv.exe
3328	spoolsv.exe
3264	spoolsv.exe
3264	spoolsv.exe
1184	spoolsv.exe
1184	spoolsv.exe
8	spoolsv.exe
8	spoolsv.exe
1472	spoolsv.exe
1472	spoolsv.exe
1404	spoolsv.exe
1404	spoolsv.exe
5108	spoolsv.exe
5108	spoolsv.exe
4324	spoolsv.exe
4324	spoolsv.exe
2028	spoolsv.exe
2028	spoolsv.exe
3328	spoolsv.exe
3328	spoolsv.exe
1392	spoolsv.exe
1392	spoolsv.exe
5004	spoolsv.exe
5004	spoolsv.exe
5076	spoolsv.exe
5076	spoolsv.exe
4356	spoolsv.exe
4356	spoolsv.exe
888	spoolsv.exe
888	spoolsv.exe
2592	spoolsv.exe
2592	spoolsv.exe
1956	spoolsv.exe
1956	spoolsv.exe
3948	spoolsv.exe
3948	spoolsv.exe
1652	spoolsv.exe
1652	spoolsv.exe
376	spoolsv.exe
376	spoolsv.exe
3992	spoolsv.exe
3992	spoolsv.exe
860	spoolsv.exe
860	spoolsv.exe
1600	spoolsv.exe
1600	spoolsv.exe
3468	explorer.exe
3468	explorer.exe
3412	spoolsv.exe
3412	spoolsv.exe
3284	explorer.exe
3284	explorer.exe
3304	spoolsv.exe
3304	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2948 wrote to memory of 2860	2948	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe	splwow64.exe
PID 2948 wrote to memory of 2860	2948	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe	splwow64.exe
PID 2948 wrote to memory of 4796	2948	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
PID 2948 wrote to memory of 4796	2948	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
PID 2948 wrote to memory of 4796	2948	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
PID 2948 wrote to memory of 4796	2948	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
PID 2948 wrote to memory of 4796	2948	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
PID 4796 wrote to memory of 2492	4796	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe	explorer.exe
PID 4796 wrote to memory of 2492	4796	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe	explorer.exe
PID 4796 wrote to memory of 2492	4796	582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe	explorer.exe
PID 2492 wrote to memory of 400	2492	explorer.exe	explorer.exe
PID 2492 wrote to memory of 400	2492	explorer.exe	explorer.exe
PID 2492 wrote to memory of 400	2492	explorer.exe	explorer.exe
PID 2492 wrote to memory of 400	2492	explorer.exe	explorer.exe
PID 2492 wrote to memory of 400	2492	explorer.exe	explorer.exe
PID 400 wrote to memory of 1360	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 1360	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 1360	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4980	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4980	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4980	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 1276	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 1276	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 1276	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4180	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4180	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4180	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4008	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4008	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4008	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 640	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 640	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 640	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4528	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4528	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4528	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4572	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4572	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4572	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4620	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4620	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4620	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 2604	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 2604	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 2604	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 992	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 992	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 992	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 3388	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 3388	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 3388	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 2400	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 2400	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 2400	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 3564	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 3564	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 3564	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 1668	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 1668	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 1668	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4824	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4824	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 4824	400	explorer.exe	spoolsv.exe
PID 400 wrote to memory of 1324	400	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2860
- C:\Users\Admin\AppData\Local\Temp\582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\582c0a3f9fb0c8d41a9e00290918c1dbJaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4796
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1360
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:536
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1156
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4980
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1276
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4180
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3264
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4480
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4008
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:640
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:8
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4528
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4036
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4572
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4620
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2604
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3112
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:992
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3388
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3328
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4680
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2400
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3564
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1668
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5076
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4656
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4824
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1324
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1712
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2580
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:552
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3404
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3948
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:956
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2568
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1388
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5096
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3992
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4524
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4592
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1060
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3028
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3704
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1988
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3412
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4064
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1804
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3304
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4532
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4320
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1760
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3432
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:452
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4904
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3596
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:636
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1480
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1096
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3440
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3612
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6064
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:6104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1456
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4160
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4340
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1560
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5672
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
b056af51a7d5191c5894d2b6ff12a5c1

SHA1
c93dbaba26426d3bf8375328e763dcdba8bd1d6f

SHA256
602b60bb33636ae0773e970d70ffcadfcb72704435ef8dd03242b45591b45231

SHA512
e125cd5925010fda8455dc24267b18983feb8f74cfc9c4835fca76aaa7680f3cb5e47bfce1651a814cb068f8cc1b1d71efc768f1af1742e4d4e6976c70db4208

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
2.2MB

MD5
730cf47fa190af1f44709acfc495de1b

SHA1
6f7d6c03638e63193544059cd5488c44442d7be0

SHA256
38fdb3b89323abc5116ba1df36ec43ec90b9bfcd5042d98c505f78630ab6664a

SHA512
6ccccab45c73ff61bbc3484b86ca3e02866f2683be37cf8c41cd08f86b2e8e6204e63537122a6872c2ab696bc7ca309390de1fbc05f9f7f7bc219b4271f9f905

Download Submit
memory/8-1826-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-663-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-74-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/412-3820-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/452-4171-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/452-4307-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-1607-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/536-1779-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/552-1806-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/640-1075-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/860-3001-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/860-3104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/888-2446-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/992-1389-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1036-4804-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1092-3664-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1092-3675-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1184-1817-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1276-1700-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1276-802-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1324-1687-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1360-664-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1360-1608-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1392-2261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1404-1968-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1472-1960-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1472-2094-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1480-4714-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1480-4542-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1600-3279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1600-3123-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1652-2742-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-1605-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1712-1697-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1760-3894-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1860-4337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1956-2616-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-2186-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2064-1688-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2400-1536-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2492-70-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2492-75-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2572-4825-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2572-4821-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-4033-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-2606-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-2715-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-1281-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2948-0-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2948-21-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2948-27-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2948-23-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/3264-1941-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3264-1807-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3284-3462-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3284-3453-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3296-4552-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3304-3799-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3304-3646-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3328-2240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3328-1698-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3328-1702-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3328-1699-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/3344-4813-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3388-1390-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3404-1810-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3412-3570-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3412-3431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3468-3132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-1537-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3596-4454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3596-4327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-2861-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3980-3655-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3992-2878-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3992-2976-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4008-1815-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4008-944-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4180-943-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4180-1808-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4324-2113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4356-2438-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4356-2435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4528-1076-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4572-1279-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4620-1280-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4796-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4796-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4796-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4824-1606-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4948-4911-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-1689-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4980-801-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5004-2339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5036-4179-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-2425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-1980-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5224-4646-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5280-4656-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5424-4677-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5672-4933-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5672-5022-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6064-4794-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download