pony | 2fa9ad50017f1556b9ccedaa19d1c21e75cad125f1e2c57b87d23ceb0180c795

Analysis

max time kernel
146s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 20:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe
Size

2.2MB
MD5

ab485ed6ee729f85a333a79ed7ec5d60
SHA1

df9d83a0f9ee05fb2c58cfef0b0c4a606df07492
SHA256

2fa9ad50017f1556b9ccedaa19d1c21e75cad125f1e2c57b87d23ceb0180c795
SHA512

641be72cd9225f5e84c88c9df4faf925a755cfdf10ad78e9379d0516628f9f930aa41cc10f2a58dab06084cb82b391049d9b90f6e53dcad3dd2b94b79c1c29d8
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZY:0UzeyQMS4DqodCnoe+iitjWwwk

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
1356	explorer.exe
4332	explorer.exe
3584	spoolsv.exe
4480	spoolsv.exe
1932	spoolsv.exe
1260	spoolsv.exe
4104	spoolsv.exe
608	spoolsv.exe
1360	spoolsv.exe
3448	spoolsv.exe
4144	spoolsv.exe
4160	spoolsv.exe
5092	spoolsv.exe
4528	spoolsv.exe
1088	spoolsv.exe
4080	spoolsv.exe
1616	spoolsv.exe
4292	spoolsv.exe
1408	spoolsv.exe
3192	spoolsv.exe
228	spoolsv.exe
2508	spoolsv.exe
5100	spoolsv.exe
2392	spoolsv.exe
4352	spoolsv.exe
2292	spoolsv.exe
3996	spoolsv.exe
388	spoolsv.exe
4636	spoolsv.exe
1692	spoolsv.exe
3852	spoolsv.exe
4148	spoolsv.exe
636	explorer.exe
1420	spoolsv.exe
2064	spoolsv.exe
5064	spoolsv.exe
532	spoolsv.exe
4776	spoolsv.exe
2780	explorer.exe
5104	spoolsv.exe
4072	spoolsv.exe
1256	spoolsv.exe
1808	spoolsv.exe
640	spoolsv.exe
3708	explorer.exe
4128	spoolsv.exe
220	spoolsv.exe
4324	spoolsv.exe
3684	spoolsv.exe
752	spoolsv.exe
2324	spoolsv.exe
1828	spoolsv.exe
4904	explorer.exe
648	spoolsv.exe
2416	spoolsv.exe
4680	spoolsv.exe
4444	spoolsv.exe
1108	spoolsv.exe
3416	spoolsv.exe
5084	explorer.exe
3664	spoolsv.exe
4848	spoolsv.exe
4256	spoolsv.exe
3888	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 53 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 4284	2184	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe	86
PID 1356 set thread context of 4332	1356	explorer.exe	95
PID 3584 set thread context of 4148	3584	spoolsv.exe	125
PID 4480 set thread context of 2064	4480	spoolsv.exe	128
PID 1932 set thread context of 5064	1932	spoolsv.exe	129
PID 1260 set thread context of 4776	1260	spoolsv.exe	131
PID 4104 set thread context of 5104	4104	spoolsv.exe	133
PID 608 set thread context of 4072	608	spoolsv.exe	134
PID 1360 set thread context of 1256	1360	spoolsv.exe	135
PID 3448 set thread context of 1808	3448	spoolsv.exe	136
PID 4144 set thread context of 640	4144	spoolsv.exe	137
PID 4160 set thread context of 220	4160	spoolsv.exe	140
PID 5092 set thread context of 4324	5092	spoolsv.exe	141
PID 4528 set thread context of 3684	4528	spoolsv.exe	142
PID 1088 set thread context of 752	1088	spoolsv.exe	143
PID 4080 set thread context of 1828	4080	spoolsv.exe	145
PID 1616 set thread context of 648	1616	spoolsv.exe	147
PID 4292 set thread context of 2416	4292	spoolsv.exe	148
PID 1408 set thread context of 4680	1408	spoolsv.exe	149
PID 3192 set thread context of 1108	3192	spoolsv.exe	151
PID 228 set thread context of 3416	228	spoolsv.exe	152
PID 2508 set thread context of 3664	2508	spoolsv.exe	154
PID 5100 set thread context of 4848	5100	spoolsv.exe	155
PID 2392 set thread context of 3888	2392	spoolsv.exe	157
PID 4352 set thread context of 4268	4352	spoolsv.exe	158
PID 2292 set thread context of 4860	2292	spoolsv.exe	160
PID 3996 set thread context of 2000	3996	spoolsv.exe	161
PID 388 set thread context of 3176	388	spoolsv.exe	162
PID 4636 set thread context of 3692	4636	spoolsv.exe	164
PID 1692 set thread context of 544	1692	spoolsv.exe	166
PID 3852 set thread context of 4584	3852	spoolsv.exe	168
PID 636 set thread context of 4452	636	explorer.exe	172
PID 1420 set thread context of 884	1420	spoolsv.exe	173
PID 2780 set thread context of 920	2780	explorer.exe	178
PID 532 set thread context of 4980	532	spoolsv.exe	180
PID 4128 set thread context of 1484	4128	spoolsv.exe	184
PID 3708 set thread context of 3744	3708	explorer.exe	186
PID 2324 set thread context of 4956	2324	spoolsv.exe	190
PID 4904 set thread context of 3724	4904	explorer.exe	193
PID 4444 set thread context of 4300	4444	spoolsv.exe	195
PID 5084 set thread context of 4556	5084	explorer.exe	198
PID 4256 set thread context of 1516	4256	spoolsv.exe	201
PID 5116 set thread context of 1552	5116	explorer.exe	203
PID 1668 set thread context of 2860	1668	spoolsv.exe	204
PID 4312 set thread context of 4328	4312	explorer.exe	206
PID 4648 set thread context of 4168	4648	spoolsv.exe	207
PID 5004 set thread context of 3632	5004	explorer.exe	208
PID 1840 set thread context of 2380	1840	spoolsv.exe	209
PID 1672 set thread context of 4140	1672	spoolsv.exe	211
PID 3352 set thread context of 4424	3352	explorer.exe	212
PID 2228 set thread context of 2936	2228	spoolsv.exe	213
PID 2696 set thread context of 2768	2696	spoolsv.exe	215
PID 4540 set thread context of 1016	4540	spoolsv.exe	218

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4284	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe
4284	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4332	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4284	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe
4284	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4332	explorer.exe
4148	spoolsv.exe
4148	spoolsv.exe
2064	spoolsv.exe
2064	spoolsv.exe
5064	spoolsv.exe
5064	spoolsv.exe
4776	spoolsv.exe
4776	spoolsv.exe
5104	spoolsv.exe
5104	spoolsv.exe
4072	spoolsv.exe
4072	spoolsv.exe
1256	spoolsv.exe
1256	spoolsv.exe
1808	spoolsv.exe
1808	spoolsv.exe
640	spoolsv.exe
640	spoolsv.exe
220	spoolsv.exe
220	spoolsv.exe
4324	spoolsv.exe
4324	spoolsv.exe
3684	spoolsv.exe
3684	spoolsv.exe
752	spoolsv.exe
752	spoolsv.exe
1828	spoolsv.exe
1828	spoolsv.exe
648	spoolsv.exe
648	spoolsv.exe
2416	spoolsv.exe
2416	spoolsv.exe
4680	spoolsv.exe
4680	spoolsv.exe
1108	spoolsv.exe
1108	spoolsv.exe
3416	spoolsv.exe
3416	spoolsv.exe
3664	spoolsv.exe
3664	spoolsv.exe
4848	spoolsv.exe
4848	spoolsv.exe
3888	spoolsv.exe
3888	spoolsv.exe
4268	spoolsv.exe
4268	spoolsv.exe
4860	spoolsv.exe
4860	spoolsv.exe
2000	spoolsv.exe
2000	spoolsv.exe
3176	spoolsv.exe
3176	spoolsv.exe
3692	spoolsv.exe
3692	spoolsv.exe
544	spoolsv.exe
544	spoolsv.exe
4584	spoolsv.exe
4584	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1472	2184	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe	81
PID 2184 wrote to memory of 1472	2184	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe	81
PID 2184 wrote to memory of 4284	2184	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe	86
PID 2184 wrote to memory of 4284	2184	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe	86
PID 2184 wrote to memory of 4284	2184	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe	86
PID 2184 wrote to memory of 4284	2184	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe	86
PID 2184 wrote to memory of 4284	2184	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe	86
PID 4284 wrote to memory of 1356	4284	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe	87
PID 4284 wrote to memory of 1356	4284	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe	87
PID 4284 wrote to memory of 1356	4284	ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe	87
PID 1356 wrote to memory of 4332	1356	explorer.exe	95
PID 1356 wrote to memory of 4332	1356	explorer.exe	95
PID 1356 wrote to memory of 4332	1356	explorer.exe	95
PID 1356 wrote to memory of 4332	1356	explorer.exe	95
PID 1356 wrote to memory of 4332	1356	explorer.exe	95
PID 4332 wrote to memory of 3584	4332	explorer.exe	96
PID 4332 wrote to memory of 3584	4332	explorer.exe	96
PID 4332 wrote to memory of 3584	4332	explorer.exe	96
PID 4332 wrote to memory of 4480	4332	explorer.exe	97
PID 4332 wrote to memory of 4480	4332	explorer.exe	97
PID 4332 wrote to memory of 4480	4332	explorer.exe	97
PID 4332 wrote to memory of 1932	4332	explorer.exe	98
PID 4332 wrote to memory of 1932	4332	explorer.exe	98
PID 4332 wrote to memory of 1932	4332	explorer.exe	98
PID 4332 wrote to memory of 1260	4332	explorer.exe	99
PID 4332 wrote to memory of 1260	4332	explorer.exe	99
PID 4332 wrote to memory of 1260	4332	explorer.exe	99
PID 4332 wrote to memory of 4104	4332	explorer.exe	100
PID 4332 wrote to memory of 4104	4332	explorer.exe	100
PID 4332 wrote to memory of 4104	4332	explorer.exe	100
PID 4332 wrote to memory of 608	4332	explorer.exe	101
PID 4332 wrote to memory of 608	4332	explorer.exe	101
PID 4332 wrote to memory of 608	4332	explorer.exe	101
PID 4332 wrote to memory of 1360	4332	explorer.exe	102
PID 4332 wrote to memory of 1360	4332	explorer.exe	102
PID 4332 wrote to memory of 1360	4332	explorer.exe	102
PID 4332 wrote to memory of 3448	4332	explorer.exe	103
PID 4332 wrote to memory of 3448	4332	explorer.exe	103
PID 4332 wrote to memory of 3448	4332	explorer.exe	103
PID 4332 wrote to memory of 4144	4332	explorer.exe	104
PID 4332 wrote to memory of 4144	4332	explorer.exe	104
PID 4332 wrote to memory of 4144	4332	explorer.exe	104
PID 4332 wrote to memory of 4160	4332	explorer.exe	105
PID 4332 wrote to memory of 4160	4332	explorer.exe	105
PID 4332 wrote to memory of 4160	4332	explorer.exe	105
PID 4332 wrote to memory of 5092	4332	explorer.exe	106
PID 4332 wrote to memory of 5092	4332	explorer.exe	106
PID 4332 wrote to memory of 5092	4332	explorer.exe	106
PID 4332 wrote to memory of 4528	4332	explorer.exe	107
PID 4332 wrote to memory of 4528	4332	explorer.exe	107
PID 4332 wrote to memory of 4528	4332	explorer.exe	107
PID 4332 wrote to memory of 1088	4332	explorer.exe	108
PID 4332 wrote to memory of 1088	4332	explorer.exe	108
PID 4332 wrote to memory of 1088	4332	explorer.exe	108
PID 4332 wrote to memory of 4080	4332	explorer.exe	109
PID 4332 wrote to memory of 4080	4332	explorer.exe	109
PID 4332 wrote to memory of 4080	4332	explorer.exe	109
PID 4332 wrote to memory of 1616	4332	explorer.exe	110
PID 4332 wrote to memory of 1616	4332	explorer.exe	110
PID 4332 wrote to memory of 1616	4332	explorer.exe	110
PID 4332 wrote to memory of 4292	4332	explorer.exe	111
PID 4332 wrote to memory of 4292	4332	explorer.exe	111
PID 4332 wrote to memory of 4292	4332	explorer.exe	111
PID 4332 wrote to memory of 1408	4332	explorer.exe	112

C:\Users\Admin\AppData\Local\Temp\ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1472
- C:\Users\Admin\AppData\Local\Temp\ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ab485ed6ee729f85a333a79ed7ec5d60_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4284
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3584
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4148
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:636
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4480
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1932
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1260
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4776
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2780
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4104
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:608
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1360
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3448
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4144
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:640
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3708
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4160
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5092
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4528
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1088
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4080
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4904
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1616
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4292
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1408
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3192
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:228
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3416
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5084
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2508
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5100
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2392
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4352
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4268
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:5116
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2292
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3996
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:388
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4636
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3692
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4312
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1692
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3852
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4584
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5004
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1420
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:884
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3352
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:532
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4980
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1520
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4128
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1484
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2324
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4956
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4444
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4300
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4256
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1516
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1668
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4648
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1840
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2380
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1672
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2228
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2696
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2768
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4540
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1016
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4756
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2928
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
455d6f0488918af3a1be2fda90058f7e

SHA1
70dc87c315198aad6be0afe2f47d7461d49cfa3f

SHA256
385350b1893b0d8ac1f0838295a7fad083b7b6e8cd8ea474a2dc3a50dfae72c1

SHA512
ace0687d3f25fc413cbaf770739187b93859a37b75400b97329bc19f5e1204b3a041dcdb37975f9f231415a3000c39238a16c8eb4e8a6ba488890233e82b37a2

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
0bed79f88092f125d6abd04d26312148

SHA1
82aefcf77298846e4effaebd910b92c9ddf31300

SHA256
ba0fac5f6a4b207b9b6b8ff34ab82cd43b54e294001945a22e21d14ac14b3f5e

SHA512
56a2386f9697722ebecd60583a4118a6f161925b968383cf98731c4b6b51a7c022252ada7a2e8f307deb5eb2f82e59621278051100175bc9823595c0d19bf8f2

Download Submit
memory/228-1822-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/544-2981-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/544-2977-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/608-1146-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/640-2381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-2178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/648-2414-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/884-3436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/884-3328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/920-3601-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1016-5246-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1016-5153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1088-1618-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1108-2505-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1256-2089-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1260-994-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1356-85-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1356-91-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1360-1282-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1408-1814-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1484-4002-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1484-3875-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1516-4599-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1548-5172-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1552-4612-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-1620-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1808-2122-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1828-2403-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1828-2544-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1932-993-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1932-1951-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2000-2786-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-2790-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2064-1918-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-31-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2184-37-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2184-0-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2184-33-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2380-4821-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2380-4980-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2392-2056-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2416-2423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-2427-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2508-1917-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2584-5183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-5180-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-5005-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-5133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-4849-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3176-2808-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3192-1821-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3416-2716-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3416-2561-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-1283-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3584-809-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3584-1824-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3632-4814-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3664-2571-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3692-2955-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3724-4220-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3744-3884-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3888-2664-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3888-2668-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-2078-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4080-1619-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4104-1145-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4140-4831-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4144-1284-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4148-1823-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4148-1984-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4160-1423-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4268-2769-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-2913-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-72-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4284-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-74-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4292-1813-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4300-4475-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4300-4340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4324-2258-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4328-4707-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4332-808-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4332-90-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4424-4843-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4452-3321-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4452-3317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4480-810-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4480-1920-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4528-1425-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4584-3199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4584-3116-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4680-2437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4680-2434-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-2058-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-2151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4848-2581-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-2776-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-3786-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-3669-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-1948-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5092-1424-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5100-1950-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5104-2067-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download