pony | f7d115b173559d59a830cf84c4a207c8a7ddfd7d0f27318dbc55fff9962f1c17

Analysis

max time kernel
147s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 01:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe
Size

2.2MB
MD5

a7a6467735563a2431445d7e577ec5c2
SHA1

ee511cdcf1ddc9a4b58eee0404c8bdc147b51604
SHA256

f7d115b173559d59a830cf84c4a207c8a7ddfd7d0f27318dbc55fff9962f1c17
SHA512

a951db9aadc87dace01958dd925a3d23a9e0fe43917b682ba6a3245cd525a0bc41efdc5b4fafebc77e5c14f4c0dcd87f16607697dfb31e15429deaeebfc23e3c
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZe:0UzeyQMS4DqodCnoe+iitjWwwC

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
1192	explorer.exe
4360	explorer.exe
4776	spoolsv.exe
3856	spoolsv.exe
4052	spoolsv.exe
1540	spoolsv.exe
4912	spoolsv.exe
3076	spoolsv.exe
4288	spoolsv.exe
4880	spoolsv.exe
2692	spoolsv.exe
2004	spoolsv.exe
4748	spoolsv.exe
4356	spoolsv.exe
5088	spoolsv.exe
1416	spoolsv.exe
1708	spoolsv.exe
2428	spoolsv.exe
1724	spoolsv.exe
3528	spoolsv.exe
1532	spoolsv.exe
1880	spoolsv.exe
1320	spoolsv.exe
4896	spoolsv.exe
556	spoolsv.exe
4332	spoolsv.exe
3240	spoolsv.exe
2232	spoolsv.exe
2956	spoolsv.exe
5096	spoolsv.exe
2076	spoolsv.exe
5112	spoolsv.exe
1088	spoolsv.exe
1440	spoolsv.exe
5220	spoolsv.exe
5648	spoolsv.exe
5740	spoolsv.exe
5780	explorer.exe
6032	spoolsv.exe
5164	spoolsv.exe
5288	spoolsv.exe
5368	spoolsv.exe
5432	spoolsv.exe
5504	spoolsv.exe
5844	spoolsv.exe
5908	explorer.exe
5184	spoolsv.exe
5304	spoolsv.exe
5356	spoolsv.exe
5480	spoolsv.exe
4596	spoolsv.exe
5576	spoolsv.exe
5616	spoolsv.exe
5428	spoolsv.exe
6024	spoolsv.exe
5336	spoolsv.exe
5376	explorer.exe
4632	spoolsv.exe
5452	spoolsv.exe
4292	spoolsv.exe
5524	spoolsv.exe
5848	spoolsv.exe
5724	spoolsv.exe
1576	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 58 IoCs

description	pid	Process	procid_target
PID 956 set thread context of 2124	956	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe	95
PID 1192 set thread context of 4360	1192	explorer.exe	100
PID 4776 set thread context of 5740	4776	spoolsv.exe	135
PID 3856 set thread context of 5164	3856	spoolsv.exe	138
PID 4052 set thread context of 5288	4052	spoolsv.exe	139
PID 1540 set thread context of 5368	1540	spoolsv.exe	140
PID 4912 set thread context of 5432	4912	spoolsv.exe	141
PID 3076 set thread context of 5504	3076	spoolsv.exe	142
PID 4288 set thread context of 5844	4288	spoolsv.exe	143
PID 4880 set thread context of 5304	4880	spoolsv.exe	146
PID 2692 set thread context of 5356	2692	spoolsv.exe	147
PID 2004 set thread context of 5480	2004	spoolsv.exe	148
PID 4748 set thread context of 4596	4748	spoolsv.exe	149
PID 4356 set thread context of 5576	4356	spoolsv.exe	150
PID 5088 set thread context of 5616	5088	spoolsv.exe	151
PID 1416 set thread context of 6024	1416	spoolsv.exe	153
PID 1708 set thread context of 5336	1708	spoolsv.exe	154
PID 2428 set thread context of 4632	2428	spoolsv.exe	156
PID 1724 set thread context of 5452	1724	spoolsv.exe	157
PID 3528 set thread context of 4292	3528	spoolsv.exe	158
PID 1532 set thread context of 5524	1532	spoolsv.exe	159
PID 1880 set thread context of 5724	1880	spoolsv.exe	161
PID 1320 set thread context of 4796	1320	spoolsv.exe	163
PID 4896 set thread context of 472	4896	spoolsv.exe	164
PID 556 set thread context of 4380	556	spoolsv.exe	165
PID 4332 set thread context of 5548	4332	spoolsv.exe	167
PID 3240 set thread context of 2524	3240	spoolsv.exe	168
PID 2232 set thread context of 6084	2232	spoolsv.exe	170
PID 2956 set thread context of 216	2956	spoolsv.exe	171
PID 5096 set thread context of 4392	5096	spoolsv.exe	173
PID 2076 set thread context of 5836	2076	spoolsv.exe	175
PID 5112 set thread context of 6072	5112	spoolsv.exe	176
PID 1088 set thread context of 6108	1088	spoolsv.exe	177
PID 1440 set thread context of 3760	1440	spoolsv.exe	179
PID 5220 set thread context of 3332	5220	spoolsv.exe	181
PID 5648 set thread context of 1620	5648	spoolsv.exe	184
PID 5780 set thread context of 5600	5780	explorer.exe	188
PID 6032 set thread context of 180	6032	spoolsv.exe	189
PID 5184 set thread context of 5784	5184	spoolsv.exe	194
PID 5908 set thread context of 116	5908	explorer.exe	197
PID 5428 set thread context of 5196	5428	spoolsv.exe	201
PID 5376 set thread context of 2792	5376	explorer.exe	203
PID 5848 set thread context of 5584	5848	spoolsv.exe	207
PID 1576 set thread context of 5132	1576	explorer.exe	210
PID 4724 set thread context of 2396	4724	spoolsv.exe	212
PID 6012 set thread context of 3600	6012	explorer.exe	214
PID 3268 set thread context of 4924	3268	spoolsv.exe	217
PID 1212 set thread context of 1736	1212	explorer.exe	219
PID 4552 set thread context of 2284	4552	spoolsv.exe	220
PID 1648 set thread context of 644	1648	explorer.exe	221
PID 4388 set thread context of 2040	4388	spoolsv.exe	223
PID 4576 set thread context of 1516	4576	spoolsv.exe	225
PID 5792 set thread context of 5212	5792	explorer.exe	226
PID 2208 set thread context of 4304	2208	spoolsv.exe	228
PID 5064 set thread context of 4528	5064	spoolsv.exe	231
PID 1988 set thread context of 880	1988	explorer.exe	233
PID 5652 set thread context of 3580	5652	spoolsv.exe	234
PID 5980 set thread context of 2812	5980	spoolsv.exe	237

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe
2124	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4360	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2124	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe
2124	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
4360	explorer.exe
5740	spoolsv.exe
5740	spoolsv.exe
5164	spoolsv.exe
5164	spoolsv.exe
5288	spoolsv.exe
5288	spoolsv.exe
5368	spoolsv.exe
5368	spoolsv.exe
5432	spoolsv.exe
5432	spoolsv.exe
5504	spoolsv.exe
5504	spoolsv.exe
5844	spoolsv.exe
5844	spoolsv.exe
5304	spoolsv.exe
5304	spoolsv.exe
5356	spoolsv.exe
5356	spoolsv.exe
5480	spoolsv.exe
5480	spoolsv.exe
4596	spoolsv.exe
4596	spoolsv.exe
5576	spoolsv.exe
5576	spoolsv.exe
5616	spoolsv.exe
5616	spoolsv.exe
6024	spoolsv.exe
6024	spoolsv.exe
5336	spoolsv.exe
5336	spoolsv.exe
4632	spoolsv.exe
4632	spoolsv.exe
5452	spoolsv.exe
5452	spoolsv.exe
4292	spoolsv.exe
4292	spoolsv.exe
5524	spoolsv.exe
5524	spoolsv.exe
5724	spoolsv.exe
5724	spoolsv.exe
4796	spoolsv.exe
4796	spoolsv.exe
472	spoolsv.exe
472	spoolsv.exe
4380	spoolsv.exe
4380	spoolsv.exe
5548	spoolsv.exe
5548	spoolsv.exe
2524	spoolsv.exe
2524	spoolsv.exe
6084	spoolsv.exe
6084	spoolsv.exe
216	spoolsv.exe
216	spoolsv.exe
4392	spoolsv.exe
4392	spoolsv.exe
5836	spoolsv.exe
5836	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 3952	956	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe	91
PID 956 wrote to memory of 3952	956	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe	91
PID 956 wrote to memory of 2124	956	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe	95
PID 956 wrote to memory of 2124	956	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe	95
PID 956 wrote to memory of 2124	956	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe	95
PID 956 wrote to memory of 2124	956	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe	95
PID 956 wrote to memory of 2124	956	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe	95
PID 2124 wrote to memory of 1192	2124	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe	96
PID 2124 wrote to memory of 1192	2124	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe	96
PID 2124 wrote to memory of 1192	2124	a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe	96
PID 1192 wrote to memory of 4360	1192	explorer.exe	100
PID 1192 wrote to memory of 4360	1192	explorer.exe	100
PID 1192 wrote to memory of 4360	1192	explorer.exe	100
PID 1192 wrote to memory of 4360	1192	explorer.exe	100
PID 1192 wrote to memory of 4360	1192	explorer.exe	100
PID 4360 wrote to memory of 4776	4360	explorer.exe	101
PID 4360 wrote to memory of 4776	4360	explorer.exe	101
PID 4360 wrote to memory of 4776	4360	explorer.exe	101
PID 4360 wrote to memory of 3856	4360	explorer.exe	102
PID 4360 wrote to memory of 3856	4360	explorer.exe	102
PID 4360 wrote to memory of 3856	4360	explorer.exe	102
PID 4360 wrote to memory of 4052	4360	explorer.exe	103
PID 4360 wrote to memory of 4052	4360	explorer.exe	103
PID 4360 wrote to memory of 4052	4360	explorer.exe	103
PID 4360 wrote to memory of 1540	4360	explorer.exe	104
PID 4360 wrote to memory of 1540	4360	explorer.exe	104
PID 4360 wrote to memory of 1540	4360	explorer.exe	104
PID 4360 wrote to memory of 4912	4360	explorer.exe	105
PID 4360 wrote to memory of 4912	4360	explorer.exe	105
PID 4360 wrote to memory of 4912	4360	explorer.exe	105
PID 4360 wrote to memory of 3076	4360	explorer.exe	106
PID 4360 wrote to memory of 3076	4360	explorer.exe	106
PID 4360 wrote to memory of 3076	4360	explorer.exe	106
PID 4360 wrote to memory of 4288	4360	explorer.exe	107
PID 4360 wrote to memory of 4288	4360	explorer.exe	107
PID 4360 wrote to memory of 4288	4360	explorer.exe	107
PID 4360 wrote to memory of 4880	4360	explorer.exe	108
PID 4360 wrote to memory of 4880	4360	explorer.exe	108
PID 4360 wrote to memory of 4880	4360	explorer.exe	108
PID 4360 wrote to memory of 2692	4360	explorer.exe	109
PID 4360 wrote to memory of 2692	4360	explorer.exe	109
PID 4360 wrote to memory of 2692	4360	explorer.exe	109
PID 4360 wrote to memory of 2004	4360	explorer.exe	110
PID 4360 wrote to memory of 2004	4360	explorer.exe	110
PID 4360 wrote to memory of 2004	4360	explorer.exe	110
PID 4360 wrote to memory of 4748	4360	explorer.exe	111
PID 4360 wrote to memory of 4748	4360	explorer.exe	111
PID 4360 wrote to memory of 4748	4360	explorer.exe	111
PID 4360 wrote to memory of 4356	4360	explorer.exe	112
PID 4360 wrote to memory of 4356	4360	explorer.exe	112
PID 4360 wrote to memory of 4356	4360	explorer.exe	112
PID 4360 wrote to memory of 5088	4360	explorer.exe	113
PID 4360 wrote to memory of 5088	4360	explorer.exe	113
PID 4360 wrote to memory of 5088	4360	explorer.exe	113
PID 4360 wrote to memory of 1416	4360	explorer.exe	114
PID 4360 wrote to memory of 1416	4360	explorer.exe	114
PID 4360 wrote to memory of 1416	4360	explorer.exe	114
PID 4360 wrote to memory of 1708	4360	explorer.exe	115
PID 4360 wrote to memory of 1708	4360	explorer.exe	115
PID 4360 wrote to memory of 1708	4360	explorer.exe	115
PID 4360 wrote to memory of 2428	4360	explorer.exe	116
PID 4360 wrote to memory of 2428	4360	explorer.exe	116
PID 4360 wrote to memory of 2428	4360	explorer.exe	116
PID 4360 wrote to memory of 1724	4360	explorer.exe	117

C:\Users\Admin\AppData\Local\Temp\a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a7a6467735563a2431445d7e577ec5c2_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2124
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4776
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5740
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5780
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3856
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4052
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1540
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4912
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3076
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4288
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5844
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5908
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4880
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2692
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2004
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4356
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5088
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1416
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1708
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5336
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5376
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2428
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1724
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3528
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1532
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1880
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5724
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1576
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1320
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4896
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:556
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4332
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3240
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:6012
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2232
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2956
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5096
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4392
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1212
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2076
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5112
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1088
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1440
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3760
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1648
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5220
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5648
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1620
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:5792
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:6032
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:180
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1988
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5184
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5784
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5540
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5428
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5196
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5848
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5584
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4724
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2396
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3268
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4924
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4552
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4388
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2040
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4576
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2208
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4304
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5064
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4528
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:5652
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5980
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2812
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2960
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5076
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:6044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4460
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:944
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4648,i,16866810346450717340,3849854439116899380,262144 --variations-seed-version --mojo-platform-channel-handle=4132 /prefetch:8
1⤵
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
d14ab98ffc97558dcc69cee85a0f7b27

SHA1
c104d7c62034945a9c9db38a2cae2908bd9f8c4c

SHA256
f769f97c3961c58b7ef1219a8e25a99b1d8f905f9d5209633ba3a2d41e354c5a

SHA512
bf6f6bf024f6ae532265821b1a66be56cc20aee0af3ff5ae45f49288609d05efe00a9f3820bc4287d37d778cd2f8c779f11730d4789a70053905658661297473

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
cf21e71298a2cff02e9e90cba84534fb

SHA1
3b36ac1373e1bff54593679c0c0bb26a739dc0ce

SHA256
b3e4a86541e7f9c2a383e14e1cfb4dd725168f9ead69fc98291d6c0e123af2f3

SHA512
ba1975ac76c4754f12efa062363058fbb618376d958a24075c42b2e2bd7d24d325848221d8d76a3d8c6ab5ab098c52e34757f3d317fefc7f7129902b1af94cff

Download Submit
memory/116-4277-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/180-3910-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/180-4046-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/216-3240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/556-2302-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/644-5276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/880-5739-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/956-43-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/956-0-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/956-47-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/956-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1192-99-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1192-104-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1320-2207-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1416-1824-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1436-6117-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1436-6122-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1516-5436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1532-2205-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1540-1222-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1620-3717-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1620-3831-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1708-2018-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1724-2020-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1736-5253-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1880-2206-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2004-1623-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2040-5426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-5555-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-87-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/2124-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-5268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-5086-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2396-5154-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2428-2019-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2524-3212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2524-3364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-1622-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2792-4553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2812-6066-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3076-1399-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3240-2412-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3332-3588-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-2021-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3580-5747-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3600-5096-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3760-3579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3776-6102-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3856-1220-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3856-2402-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4052-1221-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4052-2418-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4288-1400-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4304-5589-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4304-5706-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4332-2398-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4356-1822-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4360-988-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4380-3061-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4392-3556-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4392-3404-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4528-5728-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4596-2651-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4748-1624-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4776-2304-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4776-989-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4796-3045-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4880-1621-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4896-2301-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4912-1398-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4924-5245-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-6092-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5088-1823-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5132-4985-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5164-2401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5164-2405-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5196-4680-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5212-5447-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5288-2417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5288-2414-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5304-2618-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5304-2623-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5336-3016-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5336-2828-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5368-2426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5452-2844-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5480-2640-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5504-2447-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5576-2663-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5584-4982-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5584-4850-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5600-3900-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5616-2680-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5724-3172-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5724-3033-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5740-2502-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5740-2303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5784-4170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5800-6110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5836-3412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5844-2530-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5844-2771-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6024-2732-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6024-2734-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6072-3422-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6108-3432-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download