pony | 599b362f84c57a449b597b5f1a37199f46dbf1eb2eaf3d0b9058be2578537a17

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe
Size

2.2MB
MD5

b46c9e19feb5f5dcd285a8073cb4cc88
SHA1

bf38ef6416f45c07bec5ba90ad9a4394811b6de8
SHA256

599b362f84c57a449b597b5f1a37199f46dbf1eb2eaf3d0b9058be2578537a17
SHA512

c63179743aae51587bca0712d86156c8ee8ebb635947288f6c9dc8517ac1ac59c00acc7fac309d9dd66f6fdb7bed41e17d1523c9265f12b30180e457b5729807
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZT:0UzeyQMS4DqodCnoe+iitjWww/

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
2904	explorer.exe
1528	explorer.exe
3752	spoolsv.exe
1088	spoolsv.exe
540	spoolsv.exe
4044	spoolsv.exe
2804	spoolsv.exe
4156	spoolsv.exe
3036	spoolsv.exe
1152	spoolsv.exe
2768	spoolsv.exe
1120	spoolsv.exe
4980	spoolsv.exe
1400	spoolsv.exe
3060	spoolsv.exe
3180	spoolsv.exe
3116	spoolsv.exe
4680	spoolsv.exe
5060	spoolsv.exe
2472	spoolsv.exe
4224	spoolsv.exe
4836	spoolsv.exe
3152	spoolsv.exe
1416	spoolsv.exe
1144	spoolsv.exe
220	spoolsv.exe
1944	spoolsv.exe
2204	spoolsv.exe
1076	spoolsv.exe
4472	spoolsv.exe
3896	spoolsv.exe
2728	spoolsv.exe
5012	spoolsv.exe
872	explorer.exe
116	spoolsv.exe
4292	spoolsv.exe
376	spoolsv.exe
2436	spoolsv.exe
4768	spoolsv.exe
2192	spoolsv.exe
2120	explorer.exe
4684	spoolsv.exe
4780	spoolsv.exe
4976	spoolsv.exe
5004	spoolsv.exe
3384	spoolsv.exe
1480	explorer.exe
2800	spoolsv.exe
772	spoolsv.exe
1736	spoolsv.exe
4764	spoolsv.exe
5080	explorer.exe
2344	spoolsv.exe
4864	spoolsv.exe
1808	spoolsv.exe
4916	spoolsv.exe
4840	spoolsv.exe
4924	spoolsv.exe
3108	spoolsv.exe
4692	explorer.exe
4112	spoolsv.exe
2232	spoolsv.exe
4020	spoolsv.exe
4540	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 54 IoCs

description	pid	Process	procid_target
PID 392 set thread context of 3884	392	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe	88
PID 2904 set thread context of 1528	2904	explorer.exe	99
PID 3752 set thread context of 5012	3752	spoolsv.exe	131
PID 1088 set thread context of 116	1088	spoolsv.exe	133
PID 540 set thread context of 4292	540	spoolsv.exe	134
PID 4044 set thread context of 376	4044	spoolsv.exe	135
PID 2804 set thread context of 2436	2804	spoolsv.exe	136
PID 4156 set thread context of 2192	4156	spoolsv.exe	138
PID 3036 set thread context of 4684	3036	spoolsv.exe	140
PID 1152 set thread context of 4780	1152	spoolsv.exe	141
PID 2768 set thread context of 4976	2768	spoolsv.exe	142
PID 1120 set thread context of 3384	1120	spoolsv.exe	144
PID 4980 set thread context of 2800	4980	spoolsv.exe	146
PID 1400 set thread context of 772	1400	spoolsv.exe	147
PID 3060 set thread context of 1736	3060	spoolsv.exe	148
PID 3180 set thread context of 4764	3180	spoolsv.exe	149
PID 3116 set thread context of 4864	3116	spoolsv.exe	152
PID 4680 set thread context of 1808	4680	spoolsv.exe	153
PID 5060 set thread context of 4916	5060	spoolsv.exe	154
PID 2472 set thread context of 4840	2472	spoolsv.exe	155
PID 4224 set thread context of 3108	4224	spoolsv.exe	157
PID 4836 set thread context of 4112	4836	spoolsv.exe	159
PID 3152 set thread context of 2232	3152	spoolsv.exe	160
PID 1416 set thread context of 4020	1416	spoolsv.exe	161
PID 1144 set thread context of 956	1144	spoolsv.exe	163
PID 220 set thread context of 1592	220	spoolsv.exe	165
PID 1944 set thread context of 3328	1944	spoolsv.exe	166
PID 2204 set thread context of 4528	2204	spoolsv.exe	167
PID 1076 set thread context of 4064	1076	spoolsv.exe	169
PID 4472 set thread context of 4412	4472	spoolsv.exe	170
PID 3896 set thread context of 4740	3896	spoolsv.exe	172
PID 2728 set thread context of 2300	2728	spoolsv.exe	177
PID 872 set thread context of 1640	872	explorer.exe	179
PID 4768 set thread context of 404	4768	spoolsv.exe	182
PID 2120 set thread context of 3668	2120	explorer.exe	184
PID 1480 set thread context of 3968	1480	explorer.exe	187
PID 5004 set thread context of 4828	5004	spoolsv.exe	188
PID 5080 set thread context of 3916	5080	explorer.exe	194
PID 2344 set thread context of 1368	2344	spoolsv.exe	193
PID 4924 set thread context of 4536	4924	spoolsv.exe	198
PID 4692 set thread context of 4148	4692	explorer.exe	200
PID 4540 set thread context of 1512	4540	spoolsv.exe	203
PID 3584 set thread context of 4500	3584	explorer.exe	206
PID 2284 set thread context of 4180	2284	spoolsv.exe	208
PID 2760 set thread context of 2900	2760	explorer.exe	210
PID 1812 set thread context of 4860	1812	spoolsv.exe	211
PID 1708 set thread context of 3604	1708	spoolsv.exe	213
PID 4496 set thread context of 1964	4496	spoolsv.exe	215
PID 2148 set thread context of 4420	2148	spoolsv.exe	218
PID 2980 set thread context of 4300	2980	explorer.exe	219
PID 4856 set thread context of 620	4856	spoolsv.exe	220
PID 1240 set thread context of 1248	1240	spoolsv.exe	224
PID 4960 set thread context of 1652	4960	explorer.exe	226
PID 2680 set thread context of 1992	2680	spoolsv.exe	227

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3884	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe
3884	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1528	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3884	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe
3884	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
1528	explorer.exe
5012	spoolsv.exe
5012	spoolsv.exe
116	spoolsv.exe
116	spoolsv.exe
4292	spoolsv.exe
4292	spoolsv.exe
376	spoolsv.exe
376	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
2192	spoolsv.exe
2192	spoolsv.exe
4684	spoolsv.exe
4684	spoolsv.exe
4780	spoolsv.exe
4780	spoolsv.exe
4976	spoolsv.exe
4976	spoolsv.exe
3384	spoolsv.exe
3384	spoolsv.exe
2800	spoolsv.exe
2800	spoolsv.exe
772	spoolsv.exe
772	spoolsv.exe
1736	spoolsv.exe
1736	spoolsv.exe
4764	spoolsv.exe
4764	spoolsv.exe
4864	spoolsv.exe
4864	spoolsv.exe
1808	spoolsv.exe
1808	spoolsv.exe
4916	spoolsv.exe
4916	spoolsv.exe
4840	spoolsv.exe
4840	spoolsv.exe
3108	spoolsv.exe
3108	spoolsv.exe
4112	spoolsv.exe
4112	spoolsv.exe
2232	spoolsv.exe
2232	spoolsv.exe
4020	spoolsv.exe
4020	spoolsv.exe
956	spoolsv.exe
956	spoolsv.exe
1592	spoolsv.exe
1592	spoolsv.exe
3328	spoolsv.exe
3328	spoolsv.exe
4528	spoolsv.exe
4528	spoolsv.exe
4064	spoolsv.exe
4064	spoolsv.exe
4412	spoolsv.exe
4412	spoolsv.exe
4740	spoolsv.exe
4740	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 4968	392	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe	82
PID 392 wrote to memory of 4968	392	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe	82
PID 392 wrote to memory of 3884	392	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe	88
PID 392 wrote to memory of 3884	392	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe	88
PID 392 wrote to memory of 3884	392	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe	88
PID 392 wrote to memory of 3884	392	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe	88
PID 392 wrote to memory of 3884	392	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe	88
PID 3884 wrote to memory of 2904	3884	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe	89
PID 3884 wrote to memory of 2904	3884	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe	89
PID 3884 wrote to memory of 2904	3884	b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe	89
PID 2904 wrote to memory of 1528	2904	explorer.exe	99
PID 2904 wrote to memory of 1528	2904	explorer.exe	99
PID 2904 wrote to memory of 1528	2904	explorer.exe	99
PID 2904 wrote to memory of 1528	2904	explorer.exe	99
PID 2904 wrote to memory of 1528	2904	explorer.exe	99
PID 1528 wrote to memory of 3752	1528	explorer.exe	100
PID 1528 wrote to memory of 3752	1528	explorer.exe	100
PID 1528 wrote to memory of 3752	1528	explorer.exe	100
PID 1528 wrote to memory of 1088	1528	explorer.exe	101
PID 1528 wrote to memory of 1088	1528	explorer.exe	101
PID 1528 wrote to memory of 1088	1528	explorer.exe	101
PID 1528 wrote to memory of 540	1528	explorer.exe	102
PID 1528 wrote to memory of 540	1528	explorer.exe	102
PID 1528 wrote to memory of 540	1528	explorer.exe	102
PID 1528 wrote to memory of 4044	1528	explorer.exe	103
PID 1528 wrote to memory of 4044	1528	explorer.exe	103
PID 1528 wrote to memory of 4044	1528	explorer.exe	103
PID 1528 wrote to memory of 2804	1528	explorer.exe	104
PID 1528 wrote to memory of 2804	1528	explorer.exe	104
PID 1528 wrote to memory of 2804	1528	explorer.exe	104
PID 1528 wrote to memory of 4156	1528	explorer.exe	106
PID 1528 wrote to memory of 4156	1528	explorer.exe	106
PID 1528 wrote to memory of 4156	1528	explorer.exe	106
PID 1528 wrote to memory of 3036	1528	explorer.exe	107
PID 1528 wrote to memory of 3036	1528	explorer.exe	107
PID 1528 wrote to memory of 3036	1528	explorer.exe	107
PID 1528 wrote to memory of 1152	1528	explorer.exe	108
PID 1528 wrote to memory of 1152	1528	explorer.exe	108
PID 1528 wrote to memory of 1152	1528	explorer.exe	108
PID 1528 wrote to memory of 2768	1528	explorer.exe	109
PID 1528 wrote to memory of 2768	1528	explorer.exe	109
PID 1528 wrote to memory of 2768	1528	explorer.exe	109
PID 1528 wrote to memory of 1120	1528	explorer.exe	110
PID 1528 wrote to memory of 1120	1528	explorer.exe	110
PID 1528 wrote to memory of 1120	1528	explorer.exe	110
PID 1528 wrote to memory of 4980	1528	explorer.exe	111
PID 1528 wrote to memory of 4980	1528	explorer.exe	111
PID 1528 wrote to memory of 4980	1528	explorer.exe	111
PID 1528 wrote to memory of 1400	1528	explorer.exe	112
PID 1528 wrote to memory of 1400	1528	explorer.exe	112
PID 1528 wrote to memory of 1400	1528	explorer.exe	112
PID 1528 wrote to memory of 3060	1528	explorer.exe	113
PID 1528 wrote to memory of 3060	1528	explorer.exe	113
PID 1528 wrote to memory of 3060	1528	explorer.exe	113
PID 1528 wrote to memory of 3180	1528	explorer.exe	114
PID 1528 wrote to memory of 3180	1528	explorer.exe	114
PID 1528 wrote to memory of 3180	1528	explorer.exe	114
PID 1528 wrote to memory of 3116	1528	explorer.exe	115
PID 1528 wrote to memory of 3116	1528	explorer.exe	115
PID 1528 wrote to memory of 3116	1528	explorer.exe	115
PID 1528 wrote to memory of 4680	1528	explorer.exe	116
PID 1528 wrote to memory of 4680	1528	explorer.exe	116
PID 1528 wrote to memory of 4680	1528	explorer.exe	116
PID 1528 wrote to memory of 5060	1528	explorer.exe	117

C:\Users\Admin\AppData\Local\Temp\b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4968
- C:\Users\Admin\AppData\Local\Temp\b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b46c9e19feb5f5dcd285a8073cb4cc88_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3884
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3752
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5012
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:872
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1088
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:540
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4044
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2804
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4156
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2120
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3036
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1152
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2768
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1120
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3384
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1480
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4980
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1400
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3060
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3180
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4764
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5080
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3116
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4680
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5060
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2472
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4224
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3108
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4692
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4836
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3152
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1416
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1144
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:3584
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:220
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1944
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2204
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1076
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4472
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4412
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2760
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3896
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2728
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2300
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2980
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4768
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:404
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4960
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5004
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4828
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2344
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1368
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4924
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4536
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4540
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1512
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2284
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4180
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1812
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1708
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4496
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1964
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2148
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4856
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:620
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1240
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1248
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2680
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
29426534e91c9c99411747acc8b444c6

SHA1
e0544900eadb254a9ce672e195d1adb3177b2d10

SHA256
3d39c2661fa7cc4f97b9c409450cfe326788a3cbb7f52c371237c0c2903a31c5

SHA512
9e36920169fc339a6e6a901521a05a527ee3508291e77b603873bbea5883b7a0c7ff2c76a2d7f21588116f80f0a92a8a70a1a9e64ca93c71d2acfe322f073f2d

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
bec5228e690b196e4b8f4c6a7b5b7ac8

SHA1
615ccf09117320fea0b77dad9467535f76b538cf

SHA256
7347521559e3d7913106e5d48ae9417cebbf0dc7e0a99e46cbfee6aa5c84dba2

SHA512
03c7f19e1280251c68f9f9dcc4a6a737e0e5b4e58ceb08c7ab14905a4085db75403f4a9fd71e82222873782606eb74bc8c02597d9160fb97117bb0ec8b1af71e

Download Submit
memory/116-1985-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/376-2007-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/392-0-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/392-28-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/392-23-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/392-21-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/404-3476-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/404-3600-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/540-1003-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/540-1996-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/620-4977-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/620-4860-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/772-2356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/956-2864-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1088-1002-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1088-1987-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1120-1527-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1144-2006-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1152-1378-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1248-5138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1248-5065-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1368-4014-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1368-3949-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1400-1529-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1416-1994-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1512-4389-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1512-4243-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-835-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1592-2873-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-3332-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1736-2367-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-2550-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-4688-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1964-4811-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1992-5082-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1992-5085-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-2319-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2192-2154-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2232-2717-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-3323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-3390-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2436-2016-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2472-1876-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2768-1379-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2800-2347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2804-1185-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2900-4435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2904-66-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2904-71-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3036-1187-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3060-1693-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3108-2699-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3108-2801-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3116-1695-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3152-1984-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3180-1694-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3328-2881-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3384-2327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3384-2409-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3604-4592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3668-3482-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3668-3487-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3752-836-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3752-1976-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3884-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3884-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3884-53-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/3884-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3916-3956-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3968-3687-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4020-2727-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4044-1004-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4112-2706-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4148-4094-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4156-1186-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4180-4425-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4180-4573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4224-1973-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4292-1995-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4300-4846-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4412-3118-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4420-4815-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4500-4327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4500-4331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4528-2891-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-4086-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4680-1874-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4684-2163-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4740-3045-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4764-2462-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4780-2176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4828-3819-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4836-1974-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4864-2540-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4916-2562-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4976-2185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4980-1528-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5012-1975-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5012-2136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5060-1875-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download