pony | e88a8b2d20f6a2286579a5a28fdd79c7247f64241352fb8f65f186d600266cab

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe
Size

2.2MB
MD5

a6a053001ee8d0a8458d1a17f0f8dedf
SHA1

ab63a37e8d87ab70002c4eb596645f1d3ec175cf
SHA256

e88a8b2d20f6a2286579a5a28fdd79c7247f64241352fb8f65f186d600266cab
SHA512

49ef397ddc4d0eb53ab1be9b8f45715264766935987a89dc38e03a7ad8c9e2534cc44b99de7ac0d43ef38e91ac7f1590ce20466f7897c8c155cfecf4298c78fe
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZ+:0UzeyQMS4DqodCnoe+iitjWwwi

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
2144	explorer.exe
860	explorer.exe
1528	spoolsv.exe
2500	spoolsv.exe
4660	spoolsv.exe
3032	spoolsv.exe
2296	spoolsv.exe
996	spoolsv.exe
3584	spoolsv.exe
4120	spoolsv.exe
2144	spoolsv.exe
5112	spoolsv.exe
3576	spoolsv.exe
2892	spoolsv.exe
3492	spoolsv.exe
4484	spoolsv.exe
5008	spoolsv.exe
3012	spoolsv.exe
5096	spoolsv.exe
4612	spoolsv.exe
4424	spoolsv.exe
828	spoolsv.exe
4736	spoolsv.exe
2540	spoolsv.exe
216	spoolsv.exe
4400	spoolsv.exe
4600	spoolsv.exe
4896	spoolsv.exe
1052	spoolsv.exe
4952	spoolsv.exe
3092	spoolsv.exe
4908	spoolsv.exe
4004	spoolsv.exe
3976	spoolsv.exe
900	spoolsv.exe
2464	spoolsv.exe
452	spoolsv.exe
3016	spoolsv.exe
1856	spoolsv.exe
3720	spoolsv.exe
4840	spoolsv.exe
920	spoolsv.exe
952	spoolsv.exe
1384	explorer.exe
4364	spoolsv.exe
2552	spoolsv.exe
5088	spoolsv.exe
4336	spoolsv.exe
3096	spoolsv.exe
1616	spoolsv.exe
3740	spoolsv.exe
4784	spoolsv.exe
4540	spoolsv.exe
748	explorer.exe
3916	spoolsv.exe
3904	spoolsv.exe
4436	spoolsv.exe
116	spoolsv.exe
4048	spoolsv.exe
2400	spoolsv.exe
4848	spoolsv.exe
3528	spoolsv.exe
1800	spoolsv.exe
2876	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 56 IoCs

description	pid	Process	procid_target
PID 1580 set thread context of 3948	1580	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe	87
PID 2144 set thread context of 860	2144	explorer.exe	96
PID 1528 set thread context of 952	1528	spoolsv.exe	137
PID 2500 set thread context of 4364	2500	spoolsv.exe	139
PID 4660 set thread context of 2552	4660	spoolsv.exe	140
PID 3032 set thread context of 5088	3032	spoolsv.exe	141
PID 2296 set thread context of 4336	2296	spoolsv.exe	142
PID 996 set thread context of 1616	996	spoolsv.exe	144
PID 3584 set thread context of 3740	3584	spoolsv.exe	145
PID 4120 set thread context of 4784	4120	spoolsv.exe	146
PID 2144 set thread context of 4540	2144	spoolsv.exe	147
PID 5112 set thread context of 3916	5112	spoolsv.exe	149
PID 3576 set thread context of 3904	3576	spoolsv.exe	150
PID 2892 set thread context of 4436	2892	spoolsv.exe	151
PID 3492 set thread context of 116	3492	spoolsv.exe	152
PID 4484 set thread context of 4048	4484	spoolsv.exe	153
PID 3012 set thread context of 2400	3012	spoolsv.exe	154
PID 5096 set thread context of 4848	5096	spoolsv.exe	155
PID 5008 set thread context of 3528	5008	spoolsv.exe	156
PID 828 set thread context of 1800	828	spoolsv.exe	157
PID 4736 set thread context of 2876	4736	spoolsv.exe	158
PID 4612 set thread context of 1472	4612	spoolsv.exe	159
PID 2540 set thread context of 3104	2540	spoolsv.exe	160
PID 4424 set thread context of 1012	4424	spoolsv.exe	175
PID 216 set thread context of 4180	216	spoolsv.exe	162
PID 4400 set thread context of 3552	4400	spoolsv.exe	163
PID 4896 set thread context of 3112	4896	spoolsv.exe	165
PID 4600 set thread context of 1704	4600	spoolsv.exe	166
PID 1052 set thread context of 3980	1052	spoolsv.exe	167
PID 4952 set thread context of 4184	4952	spoolsv.exe	168
PID 3092 set thread context of 5100	3092	spoolsv.exe	169
PID 4840 set thread context of 4304	4840	spoolsv.exe	170
PID 4908 set thread context of 2016	4908	spoolsv.exe	171
PID 4004 set thread context of 4288	4004	spoolsv.exe	172
PID 3976 set thread context of 2088	3976	spoolsv.exe	173
PID 900 set thread context of 1012	900	spoolsv.exe	175
PID 2464 set thread context of 3300	2464	spoolsv.exe	176
PID 452 set thread context of 2864	452	spoolsv.exe	177
PID 3016 set thread context of 4284	3016	spoolsv.exe	178
PID 1856 set thread context of 3632	1856	spoolsv.exe	179
PID 3720 set thread context of 4244	3720	spoolsv.exe	180
PID 920 set thread context of 5880	920	spoolsv.exe	230
PID 1384 set thread context of 5992	1384	explorer.exe	232
PID 3096 set thread context of 4008	3096	spoolsv.exe	233
PID 3508 set thread context of 4056	3508	spoolsv.exe	234
PID 3800 set thread context of 5336	3800	explorer.exe	235
PID 748 set thread context of 5976	748	explorer.exe	236
PID 4732 set thread context of 2524	4732	spoolsv.exe	237
PID 3052 set thread context of 5376	3052	spoolsv.exe	238
PID 2888 set thread context of 2624	2888	spoolsv.exe	239
PID 4932 set thread context of 3056	4932	spoolsv.exe	240
PID 1572 set thread context of 6136	1572	spoolsv.exe	241
PID 1364 set thread context of 2232	1364	spoolsv.exe	242
PID 4320 set thread context of 1568	4320	spoolsv.exe	243
PID 1984 set thread context of 436	1984	spoolsv.exe	245
PID 4816 set thread context of 5060	4816	spoolsv.exe	246

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3948	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe
3948	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
860	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3948	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe
3948	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
952	spoolsv.exe
952	spoolsv.exe
4364	spoolsv.exe
4364	spoolsv.exe
2552	spoolsv.exe
2552	spoolsv.exe
5088	spoolsv.exe
5088	spoolsv.exe
4336	spoolsv.exe
4336	spoolsv.exe
1616	spoolsv.exe
1616	spoolsv.exe
3740	spoolsv.exe
3740	spoolsv.exe
4784	spoolsv.exe
4784	spoolsv.exe
4540	spoolsv.exe
4540	spoolsv.exe
3916	spoolsv.exe
3916	spoolsv.exe
3904	spoolsv.exe
3904	spoolsv.exe
4436	spoolsv.exe
4436	spoolsv.exe
116	spoolsv.exe
116	spoolsv.exe
4048	spoolsv.exe
4048	spoolsv.exe
2400	spoolsv.exe
2400	spoolsv.exe
4848	spoolsv.exe
4848	spoolsv.exe
3528	spoolsv.exe
3528	spoolsv.exe
1800	spoolsv.exe
1800	spoolsv.exe
2876	spoolsv.exe
2876	spoolsv.exe
1472	spoolsv.exe
1472	spoolsv.exe
3104	spoolsv.exe
3104	spoolsv.exe
1012	spoolsv.exe
1012	spoolsv.exe
4180	spoolsv.exe
4180	spoolsv.exe
3552	spoolsv.exe
3552	spoolsv.exe
3112	spoolsv.exe
3112	spoolsv.exe
1704	spoolsv.exe
1704	spoolsv.exe
3980	spoolsv.exe
3980	spoolsv.exe
4184	spoolsv.exe
4184	spoolsv.exe
5100	spoolsv.exe
5100	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 1692	1580	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe	83
PID 1580 wrote to memory of 1692	1580	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe	83
PID 1580 wrote to memory of 3948	1580	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe	87
PID 1580 wrote to memory of 3948	1580	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe	87
PID 1580 wrote to memory of 3948	1580	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe	87
PID 1580 wrote to memory of 3948	1580	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe	87
PID 1580 wrote to memory of 3948	1580	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe	87
PID 3948 wrote to memory of 2144	3948	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe	88
PID 3948 wrote to memory of 2144	3948	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe	88
PID 3948 wrote to memory of 2144	3948	a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe	88
PID 2144 wrote to memory of 860	2144	explorer.exe	96
PID 2144 wrote to memory of 860	2144	explorer.exe	96
PID 2144 wrote to memory of 860	2144	explorer.exe	96
PID 2144 wrote to memory of 860	2144	explorer.exe	96
PID 2144 wrote to memory of 860	2144	explorer.exe	96
PID 860 wrote to memory of 1528	860	explorer.exe	97
PID 860 wrote to memory of 1528	860	explorer.exe	97
PID 860 wrote to memory of 1528	860	explorer.exe	97
PID 860 wrote to memory of 2500	860	explorer.exe	98
PID 860 wrote to memory of 2500	860	explorer.exe	98
PID 860 wrote to memory of 2500	860	explorer.exe	98
PID 860 wrote to memory of 4660	860	explorer.exe	99
PID 860 wrote to memory of 4660	860	explorer.exe	99
PID 860 wrote to memory of 4660	860	explorer.exe	99
PID 860 wrote to memory of 3032	860	explorer.exe	100
PID 860 wrote to memory of 3032	860	explorer.exe	100
PID 860 wrote to memory of 3032	860	explorer.exe	100
PID 860 wrote to memory of 2296	860	explorer.exe	101
PID 860 wrote to memory of 2296	860	explorer.exe	101
PID 860 wrote to memory of 2296	860	explorer.exe	101
PID 860 wrote to memory of 996	860	explorer.exe	102
PID 860 wrote to memory of 996	860	explorer.exe	102
PID 860 wrote to memory of 996	860	explorer.exe	102
PID 860 wrote to memory of 3584	860	explorer.exe	103
PID 860 wrote to memory of 3584	860	explorer.exe	103
PID 860 wrote to memory of 3584	860	explorer.exe	103
PID 860 wrote to memory of 4120	860	explorer.exe	104
PID 860 wrote to memory of 4120	860	explorer.exe	104
PID 860 wrote to memory of 4120	860	explorer.exe	104
PID 860 wrote to memory of 2144	860	explorer.exe	105
PID 860 wrote to memory of 2144	860	explorer.exe	105
PID 860 wrote to memory of 2144	860	explorer.exe	105
PID 860 wrote to memory of 5112	860	explorer.exe	106
PID 860 wrote to memory of 5112	860	explorer.exe	106
PID 860 wrote to memory of 5112	860	explorer.exe	106
PID 860 wrote to memory of 3576	860	explorer.exe	107
PID 860 wrote to memory of 3576	860	explorer.exe	107
PID 860 wrote to memory of 3576	860	explorer.exe	107
PID 860 wrote to memory of 2892	860	explorer.exe	108
PID 860 wrote to memory of 2892	860	explorer.exe	108
PID 860 wrote to memory of 2892	860	explorer.exe	108
PID 860 wrote to memory of 3492	860	explorer.exe	109
PID 860 wrote to memory of 3492	860	explorer.exe	109
PID 860 wrote to memory of 3492	860	explorer.exe	109
PID 860 wrote to memory of 4484	860	explorer.exe	110
PID 860 wrote to memory of 4484	860	explorer.exe	110
PID 860 wrote to memory of 4484	860	explorer.exe	110
PID 860 wrote to memory of 5008	860	explorer.exe	111
PID 860 wrote to memory of 5008	860	explorer.exe	111
PID 860 wrote to memory of 5008	860	explorer.exe	111
PID 860 wrote to memory of 3012	860	explorer.exe	112
PID 860 wrote to memory of 3012	860	explorer.exe	112
PID 860 wrote to memory of 3012	860	explorer.exe	112
PID 860 wrote to memory of 5096	860	explorer.exe	113

C:\Users\Admin\AppData\Local\Temp\a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a6a053001ee8d0a8458d1a17f0f8dedf_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3948
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1528
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1384
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2500
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4660
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3032
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2296
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:996
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3584
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4120
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4784
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:748
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2144
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5112
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3576
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2892
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3492
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4484
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5008
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3012
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5096
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4612
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4424
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:828
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4736
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2540
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:216
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4400
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4600
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4896
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1052
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4952
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3092
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4908
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4004
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4288
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:3800
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3976
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:900
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2464
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:452
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3016
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1856
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3720
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4840
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:920
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5880
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:6104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3096
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3508
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4732
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3052
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2888
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4932
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1572
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1364
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4320
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1984
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4816
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:376
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:6036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:6120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
10c4f5256a4e7b64b494f6b92b0f249a

SHA1
cabaa21a5fffd107081f808478c8478e7576be11

SHA256
ace729e1fef0c304cb534707041e56055685eda3562f810c2d2aaee9b52b0f0d

SHA512
825c9b0a47b13d5596261a921504fcd17096c7317971837870087cb2448e3084b705bc57a56ffd70361951f903c7a15088703f697554ca5a150d540c88d425e8

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
12738f5e7583aa5f4ab80606ba285682

SHA1
7f08fae4f367c57f69232d4ca40edd6f57c02e15

SHA256
abc041b061743a9a60c29a02f767ed2dcf46e8f785f4b88b361cda23b621d997

SHA512
33b79631e14c25468f43925a7aa17ed79542c83cef980d0b76d5b9e726f4b94dff742813208c590dbc563290993220292d23e881e3e2e41b891c890536b4cebb

Download Submit
memory/116-2697-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/216-2231-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/828-2110-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/860-1715-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/860-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/952-2538-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/952-2635-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/996-1821-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1012-2896-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1052-2356-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1472-2762-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-1716-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1568-6014-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1580-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1580-43-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1580-0-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1580-47-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1616-2619-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1704-2826-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2144-106-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2144-100-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2144-1984-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2296-1820-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2400-2728-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2500-1817-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2524-5952-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-2112-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2552-2573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-2915-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-2761-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2892-1987-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3012-2106-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3032-1819-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3056-5987-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-2515-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3104-2786-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3112-2818-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3300-2906-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3492-1988-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3528-2738-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3552-2803-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3576-1986-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3584-1822-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3632-2935-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3904-2676-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3916-2663-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-92-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-87-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/3948-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3980-2838-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4008-5929-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4048-2709-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4120-1983-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4184-2845-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4244-2944-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-2924-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4288-3117-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4288-2888-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4304-2875-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4336-2601-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-2546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4400-2232-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4424-2109-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4436-2687-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4484-1989-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4540-2651-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4600-2233-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4612-2108-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4660-1818-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4736-2111-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4784-2650-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4896-2234-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4952-2357-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5008-2105-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5060-6112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5060-6142-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5088-2584-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5096-2107-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5112-1985-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5336-5941-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5880-5893-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5976-5957-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5992-5903-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download