pony | c2ce5cc30076394909c2d52ec69d2dec9db53a3f4a15e44aea3ec1071b218835

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe
Size

2.2MB
MD5

b3ac06b0f1f465beaaea14c71adff2f4
SHA1

26dcdd1f7ab4d7bb31b0a84f924ae49fc7252c7a
SHA256

c2ce5cc30076394909c2d52ec69d2dec9db53a3f4a15e44aea3ec1071b218835
SHA512

2a9fa5d71cac3bd46d9c510bd279830438b2b749ecc494945aba59ab7227e32465bdc840334d9c20bdc22b78bf838810503710279e78d5982c7892f4b3b166c3
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZm:0UzeyQMS4DqodCnoe+iitjWwwi

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
1244	explorer.exe
4196	explorer.exe
2152	spoolsv.exe
4684	spoolsv.exe
1236	spoolsv.exe
4624	spoolsv.exe
3480	spoolsv.exe
4048	spoolsv.exe
2116	spoolsv.exe
4512	spoolsv.exe
1892	spoolsv.exe
1228	spoolsv.exe
4832	spoolsv.exe
1300	spoolsv.exe
5060	spoolsv.exe
2684	spoolsv.exe
3996	spoolsv.exe
4612	spoolsv.exe
1924	spoolsv.exe
4652	spoolsv.exe
1064	spoolsv.exe
2872	spoolsv.exe
4456	spoolsv.exe
3648	spoolsv.exe
1864	spoolsv.exe
1476	spoolsv.exe
1916	spoolsv.exe
3904	spoolsv.exe
2392	spoolsv.exe
1328	spoolsv.exe
3964	spoolsv.exe
1712	spoolsv.exe
3384	explorer.exe
3328	spoolsv.exe
3860	spoolsv.exe
1368	spoolsv.exe
224	explorer.exe
2916	spoolsv.exe
2168	spoolsv.exe
5088	spoolsv.exe
3680	spoolsv.exe
2004	explorer.exe
3152	spoolsv.exe
1312	spoolsv.exe
932	spoolsv.exe
1484	spoolsv.exe
2268	spoolsv.exe
4876	explorer.exe
4444	spoolsv.exe
2156	spoolsv.exe
228	spoolsv.exe
3712	spoolsv.exe
1576	spoolsv.exe
3084	explorer.exe
2024	spoolsv.exe
460	spoolsv.exe
2568	spoolsv.exe
1152	spoolsv.exe
3780	spoolsv.exe
1968	spoolsv.exe
3744	explorer.exe
4808	spoolsv.exe
3264	spoolsv.exe
3032	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 58 IoCs

description	pid	Process	procid_target
PID 460 set thread context of 4524	460	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe	86
PID 1244 set thread context of 4196	1244	explorer.exe	95
PID 2152 set thread context of 1712	2152	spoolsv.exe	125
PID 4684 set thread context of 3328	4684	spoolsv.exe	127
PID 1236 set thread context of 1368	1236	spoolsv.exe	129
PID 4624 set thread context of 2916	4624	spoolsv.exe	131
PID 3480 set thread context of 5088	3480	spoolsv.exe	133
PID 4048 set thread context of 3680	4048	spoolsv.exe	134
PID 2116 set thread context of 3152	2116	spoolsv.exe	136
PID 4512 set thread context of 1312	4512	spoolsv.exe	137
PID 1892 set thread context of 932	1892	spoolsv.exe	138
PID 1228 set thread context of 2268	1228	spoolsv.exe	140
PID 4832 set thread context of 4444	4832	spoolsv.exe	142
PID 1300 set thread context of 2156	1300	spoolsv.exe	143
PID 5060 set thread context of 3712	5060	spoolsv.exe	145
PID 2684 set thread context of 1576	2684	spoolsv.exe	146
PID 3996 set thread context of 2024	3996	spoolsv.exe	148
PID 4612 set thread context of 460	4612	spoolsv.exe	149
PID 1924 set thread context of 2568	1924	spoolsv.exe	150
PID 4652 set thread context of 3780	4652	spoolsv.exe	152
PID 1064 set thread context of 1968	1064	spoolsv.exe	153
PID 2872 set thread context of 4808	2872	spoolsv.exe	155
PID 4456 set thread context of 3264	4456	spoolsv.exe	156
PID 3648 set thread context of 4964	3648	spoolsv.exe	158
PID 1864 set thread context of 3896	1864	spoolsv.exe	159
PID 1476 set thread context of 4980	1476	spoolsv.exe	161
PID 1916 set thread context of 1644	1916	spoolsv.exe	162
PID 3904 set thread context of 2264	3904	spoolsv.exe	164
PID 2392 set thread context of 3476	2392	spoolsv.exe	165
PID 1328 set thread context of 1256	1328	spoolsv.exe	166
PID 3964 set thread context of 3544	3964	spoolsv.exe	170
PID 3384 set thread context of 1636	3384	explorer.exe	172
PID 3860 set thread context of 968	3860	spoolsv.exe	174
PID 224 set thread context of 2364	224	explorer.exe	177
PID 2168 set thread context of 3180	2168	spoolsv.exe	180
PID 2004 set thread context of 3548	2004	explorer.exe	182
PID 1484 set thread context of 900	1484	spoolsv.exe	185
PID 4876 set thread context of 1976	4876	explorer.exe	187
PID 228 set thread context of 3600	228	spoolsv.exe	191
PID 3084 set thread context of 1548	3084	explorer.exe	193
PID 1152 set thread context of 1572	1152	spoolsv.exe	195
PID 3744 set thread context of 4952	3744	explorer.exe	198
PID 3032 set thread context of 4156	3032	spoolsv.exe	201
PID 2800 set thread context of 332	2800	explorer.exe	204
PID 3764 set thread context of 2288	3764	spoolsv.exe	206
PID 1944 set thread context of 3200	1944	explorer.exe	208
PID 652 set thread context of 3756	652	spoolsv.exe	209
PID 2944 set thread context of 4468	2944	spoolsv.exe	211
PID 60 set thread context of 2360	60	explorer.exe	212
PID 1140 set thread context of 1648	1140	spoolsv.exe	214
PID 4640 set thread context of 3760	4640	explorer.exe	216
PID 3252 set thread context of 1616	3252	spoolsv.exe	217
PID 2700 set thread context of 2744	2700	spoolsv.exe	219
PID 4984 set thread context of 364	4984	spoolsv.exe	222
PID 4148 set thread context of 2680	4148	spoolsv.exe	224
PID 208 set thread context of 2248	208	spoolsv.exe	226
PID 2332 set thread context of 1524	2332	explorer.exe	228
PID 1672 set thread context of 936	1672	spoolsv.exe	229

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4524	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe
4524	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4196	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4524	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe
4524	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
1712	spoolsv.exe
1712	spoolsv.exe
3328	spoolsv.exe
3328	spoolsv.exe
1368	spoolsv.exe
1368	spoolsv.exe
2916	spoolsv.exe
2916	spoolsv.exe
5088	spoolsv.exe
5088	spoolsv.exe
3680	spoolsv.exe
3680	spoolsv.exe
3152	spoolsv.exe
3152	spoolsv.exe
1312	spoolsv.exe
1312	spoolsv.exe
932	spoolsv.exe
932	spoolsv.exe
2268	spoolsv.exe
2268	spoolsv.exe
4444	spoolsv.exe
4444	spoolsv.exe
2156	spoolsv.exe
2156	spoolsv.exe
3712	spoolsv.exe
3712	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
2024	spoolsv.exe
2024	spoolsv.exe
460	spoolsv.exe
460	spoolsv.exe
2568	spoolsv.exe
2568	spoolsv.exe
3780	spoolsv.exe
3780	spoolsv.exe
1968	spoolsv.exe
1968	spoolsv.exe
4808	spoolsv.exe
4808	spoolsv.exe
3264	spoolsv.exe
3264	spoolsv.exe
4964	spoolsv.exe
4964	spoolsv.exe
3896	spoolsv.exe
3896	spoolsv.exe
4980	spoolsv.exe
4980	spoolsv.exe
1644	spoolsv.exe
1644	spoolsv.exe
2264	spoolsv.exe
2264	spoolsv.exe
3476	spoolsv.exe
3476	spoolsv.exe
1256	spoolsv.exe
1256	spoolsv.exe
3544	spoolsv.exe
3544	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 896	460	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe	81
PID 460 wrote to memory of 896	460	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe	81
PID 460 wrote to memory of 4524	460	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe	86
PID 460 wrote to memory of 4524	460	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe	86
PID 460 wrote to memory of 4524	460	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe	86
PID 460 wrote to memory of 4524	460	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe	86
PID 460 wrote to memory of 4524	460	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe	86
PID 4524 wrote to memory of 1244	4524	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe	87
PID 4524 wrote to memory of 1244	4524	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe	87
PID 4524 wrote to memory of 1244	4524	b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe	87
PID 1244 wrote to memory of 4196	1244	explorer.exe	95
PID 1244 wrote to memory of 4196	1244	explorer.exe	95
PID 1244 wrote to memory of 4196	1244	explorer.exe	95
PID 1244 wrote to memory of 4196	1244	explorer.exe	95
PID 1244 wrote to memory of 4196	1244	explorer.exe	95
PID 4196 wrote to memory of 2152	4196	explorer.exe	96
PID 4196 wrote to memory of 2152	4196	explorer.exe	96
PID 4196 wrote to memory of 2152	4196	explorer.exe	96
PID 4196 wrote to memory of 4684	4196	explorer.exe	97
PID 4196 wrote to memory of 4684	4196	explorer.exe	97
PID 4196 wrote to memory of 4684	4196	explorer.exe	97
PID 4196 wrote to memory of 1236	4196	explorer.exe	98
PID 4196 wrote to memory of 1236	4196	explorer.exe	98
PID 4196 wrote to memory of 1236	4196	explorer.exe	98
PID 4196 wrote to memory of 4624	4196	explorer.exe	99
PID 4196 wrote to memory of 4624	4196	explorer.exe	99
PID 4196 wrote to memory of 4624	4196	explorer.exe	99
PID 4196 wrote to memory of 3480	4196	explorer.exe	100
PID 4196 wrote to memory of 3480	4196	explorer.exe	100
PID 4196 wrote to memory of 3480	4196	explorer.exe	100
PID 4196 wrote to memory of 4048	4196	explorer.exe	101
PID 4196 wrote to memory of 4048	4196	explorer.exe	101
PID 4196 wrote to memory of 4048	4196	explorer.exe	101
PID 4196 wrote to memory of 2116	4196	explorer.exe	102
PID 4196 wrote to memory of 2116	4196	explorer.exe	102
PID 4196 wrote to memory of 2116	4196	explorer.exe	102
PID 4196 wrote to memory of 4512	4196	explorer.exe	103
PID 4196 wrote to memory of 4512	4196	explorer.exe	103
PID 4196 wrote to memory of 4512	4196	explorer.exe	103
PID 4196 wrote to memory of 1892	4196	explorer.exe	104
PID 4196 wrote to memory of 1892	4196	explorer.exe	104
PID 4196 wrote to memory of 1892	4196	explorer.exe	104
PID 4196 wrote to memory of 1228	4196	explorer.exe	105
PID 4196 wrote to memory of 1228	4196	explorer.exe	105
PID 4196 wrote to memory of 1228	4196	explorer.exe	105
PID 4196 wrote to memory of 4832	4196	explorer.exe	106
PID 4196 wrote to memory of 4832	4196	explorer.exe	106
PID 4196 wrote to memory of 4832	4196	explorer.exe	106
PID 4196 wrote to memory of 1300	4196	explorer.exe	107
PID 4196 wrote to memory of 1300	4196	explorer.exe	107
PID 4196 wrote to memory of 1300	4196	explorer.exe	107
PID 4196 wrote to memory of 5060	4196	explorer.exe	108
PID 4196 wrote to memory of 5060	4196	explorer.exe	108
PID 4196 wrote to memory of 5060	4196	explorer.exe	108
PID 4196 wrote to memory of 2684	4196	explorer.exe	109
PID 4196 wrote to memory of 2684	4196	explorer.exe	109
PID 4196 wrote to memory of 2684	4196	explorer.exe	109
PID 4196 wrote to memory of 3996	4196	explorer.exe	110
PID 4196 wrote to memory of 3996	4196	explorer.exe	110
PID 4196 wrote to memory of 3996	4196	explorer.exe	110
PID 4196 wrote to memory of 4612	4196	explorer.exe	111
PID 4196 wrote to memory of 4612	4196	explorer.exe	111
PID 4196 wrote to memory of 4612	4196	explorer.exe	111
PID 4196 wrote to memory of 1924	4196	explorer.exe	112

C:\Users\Admin\AppData\Local\Temp\b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:460
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:896
- C:\Users\Admin\AppData\Local\Temp\b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b3ac06b0f1f465beaaea14c71adff2f4_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4524
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2152
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3384
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4684
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1236
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1368
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:224
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4624
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3480
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4048
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3680
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2004
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2116
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4512
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1892
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1228
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4876
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4832
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1300
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5060
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2684
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3084
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3996
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4612
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1924
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4652
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1064
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3744
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2872
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4456
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3648
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1864
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3896
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2800
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1476
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1916
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3904
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2392
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1328
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1256
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:1944
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3964
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3544
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:60
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3860
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:968
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4640
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2168
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3180
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4308
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1484
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:900
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2332
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:228
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3600
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1152
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1572
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3032
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4156
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3764
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2288
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:652
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2944
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1140
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1648
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3252
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2700
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2744
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4984
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4148
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:208
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2248
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1672
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
3b32d10b37bcc6476942b7afc732aa20

SHA1
87c9dda94c46e4f890f443ad61a452ad59c5e882

SHA256
49a24de9a593e8a55b4eab5b2bff9c5cf3c134724828db9af54a02b5f10b4f8b

SHA512
b93246f35561a49047997578a497740d1523bb2279fad33e358c04456d72af587dcd476b99377237d46cce75945efe0fdb025c8a5abf5d1b2618eac853d1ef04

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
b404f5156bc0c36fbabf38392b5afcdd

SHA1
970f7b8dbd8da04b3a16ba8efb7b4ec6ae1dbc9b

SHA256
ca384851b0baaa4255dd935787db3fd2d08c90783f30c7934ae01a055ae94000

SHA512
0ec401f01728997b4dd56aa9f70615774b49fd858537a95f0366e88d726884466c0d1797b8ad1da166dabd5f84e4dea12b2b07d6ae5c80678eca4ce6c7992b9b

Download Submit
memory/332-4603-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/364-5165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/364-5160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/460-2587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/460-0-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/460-27-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/460-21-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/460-23-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/900-4005-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/900-3902-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/932-2203-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/936-5337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/936-5341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/968-3593-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/968-3459-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1064-1825-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1228-1446-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1236-786-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1236-1951-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1244-68-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1244-74-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1256-3219-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1300-1448-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1312-2176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1368-2132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1368-1956-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1524-5330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1548-4154-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1572-4231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1576-2567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-4939-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-3292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-2939-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-2936-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-4921-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1712-1937-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1712-1815-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1892-1282-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1924-1798-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1968-2748-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1976-3913-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-2576-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2116-1140-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2152-784-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2152-1816-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2156-2370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2156-2373-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-5321-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-3011-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2268-2352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2268-2508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2288-4695-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-4809-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2364-3551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2364-3548-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2568-2598-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2680-5193-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2684-1617-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2744-5075-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2744-5241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-1826-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2916-1978-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3152-2165-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3180-3739-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3180-3837-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3200-4704-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3264-2767-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3328-1822-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/3328-1827-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3476-3021-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3480-1138-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3544-3284-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3544-3425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3548-3747-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3548-3750-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3600-4211-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3600-4145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3648-1976-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3680-2333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3680-2145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3712-2469-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3756-4712-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3760-4930-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3760-4928-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3896-2918-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3996-1618-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4048-1139-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4156-4485-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4156-4582-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4196-783-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4196-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4444-2361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4456-1955-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4468-4785-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-4790-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4512-1281-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4524-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4524-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4524-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4612-1797-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4624-1974-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4624-972-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4652-1799-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4684-785-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4684-1829-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4808-2758-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-1447-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4952-4311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4964-2893-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5060-1616-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5088-2078-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download