pony | 34fe1e9e6bcced0022603434583cfe221080d15f8842ae2410c4630034420c20

Analysis

max time kernel
148s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 07:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe
Size

2.2MB
MD5

a873fb09f50a66c9718cdcb80507d7f8
SHA1

fb131fe4bae389153125e7747ec72ede828aeefa
SHA256

34fe1e9e6bcced0022603434583cfe221080d15f8842ae2410c4630034420c20
SHA512

dfb7fcc3faeaec3461c5e6ba11d3420cb7b436b11486045932e28a0675811c0c9adb59505d99f2aa3612a7ec99273fd053434774b38ba097d90410d3f75e978a
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZM:0UzeyQMS4DqodCnoe+iitjWwwY

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
4872	explorer.exe
4680	explorer.exe
4672	spoolsv.exe
3124	spoolsv.exe
2940	spoolsv.exe
3636	spoolsv.exe
4304	spoolsv.exe
4196	spoolsv.exe
3240	spoolsv.exe
2504	spoolsv.exe
2592	spoolsv.exe
3844	spoolsv.exe
4860	spoolsv.exe
5060	spoolsv.exe
4572	spoolsv.exe
1608	spoolsv.exe
4980	spoolsv.exe
4564	spoolsv.exe
4544	spoolsv.exe
1060	spoolsv.exe
3820	spoolsv.exe
3384	spoolsv.exe
3644	spoolsv.exe
3356	spoolsv.exe
5092	spoolsv.exe
1972	spoolsv.exe
764	spoolsv.exe
432	spoolsv.exe
2132	spoolsv.exe
2248	spoolsv.exe
5076	spoolsv.exe
3740	spoolsv.exe
4504	spoolsv.exe
3392	spoolsv.exe
4636	explorer.exe
1968	spoolsv.exe
3628	spoolsv.exe
412	spoolsv.exe
3444	spoolsv.exe
3912	spoolsv.exe
1836	spoolsv.exe
2564	spoolsv.exe
2508	explorer.exe
372	spoolsv.exe
3608	spoolsv.exe
2544	spoolsv.exe
2996	spoolsv.exe
4588	spoolsv.exe
1696	spoolsv.exe
3548	spoolsv.exe
1344	explorer.exe
2352	spoolsv.exe
1684	spoolsv.exe
3956	spoolsv.exe
1420	spoolsv.exe
3648	spoolsv.exe
1672	spoolsv.exe
2984	spoolsv.exe
2524	spoolsv.exe
2120	explorer.exe
3344	spoolsv.exe
3368	spoolsv.exe
2064	spoolsv.exe
888	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 55 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 4848	2316	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe	87
PID 4872 set thread context of 4680	4872	explorer.exe	96
PID 4672 set thread context of 3392	4672	spoolsv.exe	128
PID 3124 set thread context of 1968	3124	spoolsv.exe	130
PID 2940 set thread context of 3628	2940	spoolsv.exe	131
PID 3636 set thread context of 412	3636	spoolsv.exe	132
PID 4304 set thread context of 3912	4304	spoolsv.exe	134
PID 4196 set thread context of 1836	4196	spoolsv.exe	135
PID 3240 set thread context of 2564	3240	spoolsv.exe	136
PID 2504 set thread context of 372	2504	spoolsv.exe	138
PID 2592 set thread context of 3608	2592	spoolsv.exe	139
PID 3844 set thread context of 2544	3844	spoolsv.exe	140
PID 4860 set thread context of 4588	4860	spoolsv.exe	142
PID 5060 set thread context of 1696	5060	spoolsv.exe	143
PID 4572 set thread context of 3548	4572	spoolsv.exe	144
PID 1608 set thread context of 2352	1608	spoolsv.exe	146
PID 4980 set thread context of 1684	4980	spoolsv.exe	147
PID 4564 set thread context of 3956	4564	spoolsv.exe	148
PID 4544 set thread context of 1420	4544	spoolsv.exe	149
PID 1060 set thread context of 3648	1060	spoolsv.exe	150
PID 3820 set thread context of 2984	3820	spoolsv.exe	152
PID 3384 set thread context of 2524	3384	spoolsv.exe	153
PID 3644 set thread context of 3344	3644	spoolsv.exe	155
PID 3356 set thread context of 3368	3356	spoolsv.exe	156
PID 5092 set thread context of 888	5092	spoolsv.exe	158
PID 1972 set thread context of 3304	1972	spoolsv.exe	159
PID 764 set thread context of 4844	764	spoolsv.exe	160
PID 432 set thread context of 4668	432	spoolsv.exe	162
PID 2132 set thread context of 1668	2132	spoolsv.exe	163
PID 2248 set thread context of 3484	2248	spoolsv.exe	165
PID 5076 set thread context of 116	5076	spoolsv.exe	166
PID 3740 set thread context of 4972	3740	spoolsv.exe	168
PID 4504 set thread context of 3104	4504	spoolsv.exe	172
PID 4636 set thread context of 3576	4636	explorer.exe	176
PID 3444 set thread context of 4452	3444	spoolsv.exe	180
PID 2508 set thread context of 4608	2508	explorer.exe	183
PID 2996 set thread context of 3012	2996	spoolsv.exe	189
PID 1344 set thread context of 3932	1344	explorer.exe	191
PID 1672 set thread context of 3348	1672	spoolsv.exe	196
PID 2120 set thread context of 884	2120	explorer.exe	199
PID 2064 set thread context of 4024	2064	spoolsv.exe	203
PID 1852 set thread context of 1692	1852	explorer.exe	205
PID 4828 set thread context of 1724	4828	spoolsv.exe	207
PID 2552 set thread context of 1264	2552	explorer.exe	209
PID 3172 set thread context of 4088	3172	spoolsv.exe	210
PID 5028 set thread context of 2084	5028	spoolsv.exe	212
PID 3980 set thread context of 3492	3980	spoolsv.exe	214
PID 5008 set thread context of 4268	5008	spoolsv.exe	216
PID 4936 set thread context of 1596	4936	explorer.exe	217
PID 2356 set thread context of 3388	2356	spoolsv.exe	218
PID 2288 set thread context of 3936	2288	spoolsv.exe	219
PID 2300 set thread context of 4436	2300	spoolsv.exe	221
PID 4548 set thread context of 4320	4548	spoolsv.exe	222
PID 3376 set thread context of 1504	3376	explorer.exe	224
PID 3828 set thread context of 1016	3828	spoolsv.exe	225

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4848	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe
4848	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4680	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4848	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe
4848	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
4680	explorer.exe
3392	spoolsv.exe
3392	spoolsv.exe
1968	spoolsv.exe
1968	spoolsv.exe
3628	spoolsv.exe
3628	spoolsv.exe
412	spoolsv.exe
412	spoolsv.exe
3912	spoolsv.exe
3912	spoolsv.exe
1836	spoolsv.exe
1836	spoolsv.exe
2564	spoolsv.exe
2564	spoolsv.exe
372	spoolsv.exe
372	spoolsv.exe
2544	spoolsv.exe
2544	spoolsv.exe
4588	spoolsv.exe
4588	spoolsv.exe
1696	spoolsv.exe
1696	spoolsv.exe
3548	spoolsv.exe
3548	spoolsv.exe
2352	spoolsv.exe
2352	spoolsv.exe
1684	spoolsv.exe
1684	spoolsv.exe
3956	spoolsv.exe
3956	spoolsv.exe
1420	spoolsv.exe
1420	spoolsv.exe
3648	spoolsv.exe
3648	spoolsv.exe
2984	spoolsv.exe
2984	spoolsv.exe
2524	spoolsv.exe
2524	spoolsv.exe
3344	spoolsv.exe
3344	spoolsv.exe
3368	spoolsv.exe
3368	spoolsv.exe
888	spoolsv.exe
888	spoolsv.exe
3304	spoolsv.exe
3304	spoolsv.exe
4844	spoolsv.exe
4844	spoolsv.exe
4668	spoolsv.exe
4668	spoolsv.exe
1668	spoolsv.exe
1668	spoolsv.exe
3484	spoolsv.exe
3484	spoolsv.exe
116	spoolsv.exe
116	spoolsv.exe
4972	spoolsv.exe
4972	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1824	2316	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe	82
PID 2316 wrote to memory of 1824	2316	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe	82
PID 2316 wrote to memory of 4848	2316	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe	87
PID 2316 wrote to memory of 4848	2316	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe	87
PID 2316 wrote to memory of 4848	2316	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe	87
PID 2316 wrote to memory of 4848	2316	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe	87
PID 2316 wrote to memory of 4848	2316	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe	87
PID 4848 wrote to memory of 4872	4848	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe	88
PID 4848 wrote to memory of 4872	4848	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe	88
PID 4848 wrote to memory of 4872	4848	a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe	88
PID 4872 wrote to memory of 4680	4872	explorer.exe	96
PID 4872 wrote to memory of 4680	4872	explorer.exe	96
PID 4872 wrote to memory of 4680	4872	explorer.exe	96
PID 4872 wrote to memory of 4680	4872	explorer.exe	96
PID 4872 wrote to memory of 4680	4872	explorer.exe	96
PID 4680 wrote to memory of 4672	4680	explorer.exe	97
PID 4680 wrote to memory of 4672	4680	explorer.exe	97
PID 4680 wrote to memory of 4672	4680	explorer.exe	97
PID 4680 wrote to memory of 3124	4680	explorer.exe	98
PID 4680 wrote to memory of 3124	4680	explorer.exe	98
PID 4680 wrote to memory of 3124	4680	explorer.exe	98
PID 4680 wrote to memory of 2940	4680	explorer.exe	99
PID 4680 wrote to memory of 2940	4680	explorer.exe	99
PID 4680 wrote to memory of 2940	4680	explorer.exe	99
PID 4680 wrote to memory of 3636	4680	explorer.exe	100
PID 4680 wrote to memory of 3636	4680	explorer.exe	100
PID 4680 wrote to memory of 3636	4680	explorer.exe	100
PID 4680 wrote to memory of 4304	4680	explorer.exe	101
PID 4680 wrote to memory of 4304	4680	explorer.exe	101
PID 4680 wrote to memory of 4304	4680	explorer.exe	101
PID 4680 wrote to memory of 4196	4680	explorer.exe	102
PID 4680 wrote to memory of 4196	4680	explorer.exe	102
PID 4680 wrote to memory of 4196	4680	explorer.exe	102
PID 4680 wrote to memory of 3240	4680	explorer.exe	103
PID 4680 wrote to memory of 3240	4680	explorer.exe	103
PID 4680 wrote to memory of 3240	4680	explorer.exe	103
PID 4680 wrote to memory of 2504	4680	explorer.exe	104
PID 4680 wrote to memory of 2504	4680	explorer.exe	104
PID 4680 wrote to memory of 2504	4680	explorer.exe	104
PID 4680 wrote to memory of 2592	4680	explorer.exe	105
PID 4680 wrote to memory of 2592	4680	explorer.exe	105
PID 4680 wrote to memory of 2592	4680	explorer.exe	105
PID 4680 wrote to memory of 3844	4680	explorer.exe	106
PID 4680 wrote to memory of 3844	4680	explorer.exe	106
PID 4680 wrote to memory of 3844	4680	explorer.exe	106
PID 4680 wrote to memory of 4860	4680	explorer.exe	107
PID 4680 wrote to memory of 4860	4680	explorer.exe	107
PID 4680 wrote to memory of 4860	4680	explorer.exe	107
PID 4680 wrote to memory of 5060	4680	explorer.exe	108
PID 4680 wrote to memory of 5060	4680	explorer.exe	108
PID 4680 wrote to memory of 5060	4680	explorer.exe	108
PID 4680 wrote to memory of 4572	4680	explorer.exe	109
PID 4680 wrote to memory of 4572	4680	explorer.exe	109
PID 4680 wrote to memory of 4572	4680	explorer.exe	109
PID 4680 wrote to memory of 1608	4680	explorer.exe	110
PID 4680 wrote to memory of 1608	4680	explorer.exe	110
PID 4680 wrote to memory of 1608	4680	explorer.exe	110
PID 4680 wrote to memory of 4980	4680	explorer.exe	111
PID 4680 wrote to memory of 4980	4680	explorer.exe	111
PID 4680 wrote to memory of 4980	4680	explorer.exe	111
PID 4680 wrote to memory of 4564	4680	explorer.exe	112
PID 4680 wrote to memory of 4564	4680	explorer.exe	112
PID 4680 wrote to memory of 4564	4680	explorer.exe	112
PID 4680 wrote to memory of 4544	4680	explorer.exe	113

C:\Users\Admin\AppData\Local\Temp\a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1824
- C:\Users\Admin\AppData\Local\Temp\a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a873fb09f50a66c9718cdcb80507d7f8_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4848
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4672
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3392
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4636
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3124
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2940
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3636
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4304
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4196
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3240
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2508
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2504
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2592
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        
        PID:3608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3844
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4860
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5060
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4572
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3548
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1344
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1608
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4980
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4564
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4544
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1060
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3820
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3384
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2524
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2120
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3644
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3356
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5092
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1972
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:764
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4844
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:1852
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:432
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2132
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2248
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5076
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:116
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2552
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3740
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4504
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3104
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4936
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3444
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4452
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3376
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2996
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3012
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1672
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3348
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2064
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4024
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4828
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1724
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3172
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5028
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3980
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3492
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5008
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2356
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2288
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2300
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4548
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4320
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:3828
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4412
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
2a8d3042d4a75ec1dac349d87171a66b

SHA1
5fc57cec5c1c85829457e93dfc5e745364c49567

SHA256
449e96facc0a66f80d8abd2fea6db75894519c308216a39248370703a14623fa

SHA512
992103699f634f0c758c4b3fe9fd472d067c8eeebc7a49a96883c82a77ff38603a2bd454f811f29b9cf9ba751f79a1ac2a18ef46af292698f54399105a45c02e

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
3dfae2169c3604477adffc9106eeff64

SHA1
5df0ff40ea1f5a8e07d4b041bf8ffe9f74ad44fd

SHA256
2afce1480166838d0d471199201caf0346b2da9c730ba2f0d64e5e7d35138925

SHA512
d5ea32c34aa262c4da940baf790e9aff9a56411a306260c539227f3a4cc9bf2bc0163e5792c4b8b00d6c2f62915deb5dfafa243518f78a300193e5787468e3c6

Download Submit
memory/116-3003-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/116-3121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/372-2196-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/412-1977-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/864-5402-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/884-4521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/884-4524-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/888-2712-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1016-5381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1060-1859-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1264-4919-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1504-5374-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1608-1672-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1616-5391-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-2828-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-2419-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1684-2416-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1692-4736-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-2301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1724-5058-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1724-4911-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1836-2077-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1968-1953-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1972-1975-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2084-4987-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2316-32-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2316-28-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2316-0-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2316-26-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2504-1331-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2524-2608-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2544-2229-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2564-2380-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-1332-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2940-1968-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2940-1002-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3012-4207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3012-4074-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3104-3385-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3104-3296-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3124-1957-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3124-1001-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3240-1191-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3304-2722-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3344-2619-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3348-4427-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3348-4495-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3356-1956-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3368-2629-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3384-1944-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3388-5183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3392-2158-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3392-1945-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3492-5309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3492-5155-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3548-2398-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3548-2589-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3576-3413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3576-3410-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3608-2201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3628-1969-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3628-1966-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3636-1003-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3644-1955-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3820-1860-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3844-1333-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3912-2064-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3912-2055-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3932-4084-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3936-5192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3956-2426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4024-4726-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4024-4875-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4088-4937-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4196-1190-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4268-5163-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4304-1189-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4320-5362-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4436-5285-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4436-5276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4452-3630-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4452-3740-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-1858-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4564-1674-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4572-1513-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4588-2290-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4608-3797-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4668-2817-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4668-2821-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4672-1943-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4672-801-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4680-800-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4680-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4844-2979-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4844-2810-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4848-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4848-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4848-57-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4848-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-1511-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4872-76-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4872-70-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4972-3014-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-3012-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-1673-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5060-1512-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5092-1965-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download