pony | 1dafa8f30058bbf3bb70be98426dbe686c27dc183d66e4bd9163e09dc111ba7c

Analysis

max time kernel
99s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c833f108d951168449f9038682e5732e_JaffaCakes118.exe
Size

2.2MB
MD5

c833f108d951168449f9038682e5732e
SHA1

7da57466ea7914e292b35792742108c8c96ddd4c
SHA256

1dafa8f30058bbf3bb70be98426dbe686c27dc183d66e4bd9163e09dc111ba7c
SHA512

2b37ffb6ebd9a0c28f7b6f3b2fb980fe46b43b145a6a70d7ead1980927864915aa3ce9a1bbe5b565dce28d8bca251f308c414005c8194bb1fa9b887c5a794787
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZN:0UzeyQMS4DqodCnoe+iitjWwwB

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c833f108d951168449f9038682e5732e_JaffaCakes118.exe	c833f108d951168449f9038682e5732e_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c833f108d951168449f9038682e5732e_JaffaCakes118.exe	c833f108d951168449f9038682e5732e_JaffaCakes118.exe

Executes dropped EXE 50 IoCs

pid	Process
3972	explorer.exe
4972	explorer.exe
1100	spoolsv.exe
4348	spoolsv.exe
1040	spoolsv.exe
3512	spoolsv.exe
412	spoolsv.exe
4116	spoolsv.exe
2588	spoolsv.exe
2324	spoolsv.exe
3056	spoolsv.exe
1144	spoolsv.exe
4232	spoolsv.exe
3668	spoolsv.exe
1840	spoolsv.exe
4084	spoolsv.exe
888	spoolsv.exe
396	spoolsv.exe
3536	spoolsv.exe
4964	spoolsv.exe
4072	spoolsv.exe
1464	spoolsv.exe
436	spoolsv.exe
2600	spoolsv.exe
1716	spoolsv.exe
3636	spoolsv.exe
4580	explorer.exe
5204	spoolsv.exe
5296	spoolsv.exe
5848	spoolsv.exe
5916	spoolsv.exe
5976	explorer.exe
5180	spoolsv.exe
5284	spoolsv.exe
2536	spoolsv.exe
5628	explorer.exe
5832	spoolsv.exe
5936	spoolsv.exe
5580	spoolsv.exe
5644	spoolsv.exe
5704	explorer.exe
5160	spoolsv.exe
5412	spoolsv.exe
5520	explorer.exe
5636	spoolsv.exe
3996	spoolsv.exe
5140	explorer.exe
2156	spoolsv.exe
5792	spoolsv.exe
5756	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 5004 set thread context of 4536	5004	c833f108d951168449f9038682e5732e_JaffaCakes118.exe	104
PID 3972 set thread context of 4972	3972	explorer.exe	109
PID 1100 set thread context of 3636	1100	spoolsv.exe	134
PID 4348 set thread context of 5296	4348	spoolsv.exe	137
PID 1040 set thread context of 5916	1040	spoolsv.exe	139
PID 3512 set thread context of 5284	3512	spoolsv.exe	142
PID 412 set thread context of 2536	412	spoolsv.exe	143
PID 4116 set thread context of 5936	4116	spoolsv.exe	146
PID 2588 set thread context of 5644	2588	spoolsv.exe	148
PID 2324 set thread context of 5412	2324	spoolsv.exe	151
PID 3056 set thread context of 3996	3056	spoolsv.exe	154
PID 1144 set thread context of 5792	1144	spoolsv.exe	157

Drops file in Windows directory 41 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	c833f108d951168449f9038682e5732e_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	c833f108d951168449f9038682e5732e_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c833f108d951168449f9038682e5732e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c833f108d951168449f9038682e5732e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4536	c833f108d951168449f9038682e5732e_JaffaCakes118.exe
4536	c833f108d951168449f9038682e5732e_JaffaCakes118.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
4536	c833f108d951168449f9038682e5732e_JaffaCakes118.exe
4536	c833f108d951168449f9038682e5732e_JaffaCakes118.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
4972	explorer.exe
3636	spoolsv.exe
3636	spoolsv.exe
5296	spoolsv.exe
5296	spoolsv.exe
5916	spoolsv.exe
5916	spoolsv.exe
5284	spoolsv.exe
5284	spoolsv.exe
2536	spoolsv.exe
2536	spoolsv.exe
5936	spoolsv.exe
5936	spoolsv.exe
5644	spoolsv.exe
5644	spoolsv.exe
5412	spoolsv.exe
5412	spoolsv.exe
3996	spoolsv.exe
3996	spoolsv.exe
5792	spoolsv.exe
5792	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 2724	5004	c833f108d951168449f9038682e5732e_JaffaCakes118.exe	91
PID 5004 wrote to memory of 2724	5004	c833f108d951168449f9038682e5732e_JaffaCakes118.exe	91
PID 5004 wrote to memory of 4536	5004	c833f108d951168449f9038682e5732e_JaffaCakes118.exe	104
PID 5004 wrote to memory of 4536	5004	c833f108d951168449f9038682e5732e_JaffaCakes118.exe	104
PID 5004 wrote to memory of 4536	5004	c833f108d951168449f9038682e5732e_JaffaCakes118.exe	104
PID 5004 wrote to memory of 4536	5004	c833f108d951168449f9038682e5732e_JaffaCakes118.exe	104
PID 5004 wrote to memory of 4536	5004	c833f108d951168449f9038682e5732e_JaffaCakes118.exe	104
PID 4536 wrote to memory of 3972	4536	c833f108d951168449f9038682e5732e_JaffaCakes118.exe	105
PID 4536 wrote to memory of 3972	4536	c833f108d951168449f9038682e5732e_JaffaCakes118.exe	105
PID 4536 wrote to memory of 3972	4536	c833f108d951168449f9038682e5732e_JaffaCakes118.exe	105
PID 3972 wrote to memory of 4972	3972	explorer.exe	109
PID 3972 wrote to memory of 4972	3972	explorer.exe	109
PID 3972 wrote to memory of 4972	3972	explorer.exe	109
PID 3972 wrote to memory of 4972	3972	explorer.exe	109
PID 3972 wrote to memory of 4972	3972	explorer.exe	109
PID 4972 wrote to memory of 1100	4972	explorer.exe	110
PID 4972 wrote to memory of 1100	4972	explorer.exe	110
PID 4972 wrote to memory of 1100	4972	explorer.exe	110
PID 4972 wrote to memory of 4348	4972	explorer.exe	111
PID 4972 wrote to memory of 4348	4972	explorer.exe	111
PID 4972 wrote to memory of 4348	4972	explorer.exe	111
PID 4972 wrote to memory of 1040	4972	explorer.exe	112
PID 4972 wrote to memory of 1040	4972	explorer.exe	112
PID 4972 wrote to memory of 1040	4972	explorer.exe	112
PID 4972 wrote to memory of 3512	4972	explorer.exe	113
PID 4972 wrote to memory of 3512	4972	explorer.exe	113
PID 4972 wrote to memory of 3512	4972	explorer.exe	113
PID 4972 wrote to memory of 412	4972	explorer.exe	114
PID 4972 wrote to memory of 412	4972	explorer.exe	114
PID 4972 wrote to memory of 412	4972	explorer.exe	114
PID 4972 wrote to memory of 4116	4972	explorer.exe	115
PID 4972 wrote to memory of 4116	4972	explorer.exe	115
PID 4972 wrote to memory of 4116	4972	explorer.exe	115
PID 4972 wrote to memory of 2588	4972	explorer.exe	116
PID 4972 wrote to memory of 2588	4972	explorer.exe	116
PID 4972 wrote to memory of 2588	4972	explorer.exe	116
PID 4972 wrote to memory of 2324	4972	explorer.exe	118
PID 4972 wrote to memory of 2324	4972	explorer.exe	118
PID 4972 wrote to memory of 2324	4972	explorer.exe	118
PID 4972 wrote to memory of 3056	4972	explorer.exe	119
PID 4972 wrote to memory of 3056	4972	explorer.exe	119
PID 4972 wrote to memory of 3056	4972	explorer.exe	119
PID 4972 wrote to memory of 1144	4972	explorer.exe	120
PID 4972 wrote to memory of 1144	4972	explorer.exe	120
PID 4972 wrote to memory of 1144	4972	explorer.exe	120
PID 4972 wrote to memory of 4232	4972	explorer.exe	121
PID 4972 wrote to memory of 4232	4972	explorer.exe	121
PID 4972 wrote to memory of 4232	4972	explorer.exe	121
PID 4972 wrote to memory of 3668	4972	explorer.exe	122
PID 4972 wrote to memory of 3668	4972	explorer.exe	122
PID 4972 wrote to memory of 3668	4972	explorer.exe	122
PID 4972 wrote to memory of 1840	4972	explorer.exe	123
PID 4972 wrote to memory of 1840	4972	explorer.exe	123
PID 4972 wrote to memory of 1840	4972	explorer.exe	123
PID 4972 wrote to memory of 4084	4972	explorer.exe	124
PID 4972 wrote to memory of 4084	4972	explorer.exe	124
PID 4972 wrote to memory of 4084	4972	explorer.exe	124
PID 4972 wrote to memory of 888	4972	explorer.exe	125
PID 4972 wrote to memory of 888	4972	explorer.exe	125
PID 4972 wrote to memory of 888	4972	explorer.exe	125
PID 4972 wrote to memory of 396	4972	explorer.exe	126
PID 4972 wrote to memory of 396	4972	explorer.exe	126
PID 4972 wrote to memory of 396	4972	explorer.exe	126
PID 4972 wrote to memory of 3536	4972	explorer.exe	127

C:\Users\Admin\AppData\Local\Temp\c833f108d951168449f9038682e5732e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c833f108d951168449f9038682e5732e_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\c833f108d951168449f9038682e5732e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c833f108d951168449f9038682e5732e_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4536
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1100
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3636
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4348
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1040
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5916
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5976
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3512
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:412
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4116
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2588
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5644
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2324
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5412
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5520
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3056
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3996
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1144
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5792
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4232
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1508
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5768
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3668
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5488
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5508
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1840
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5780
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5968
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:888
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4192
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4792
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:396
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3536
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2320
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4952
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4964
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2216
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4200
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4072
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:760
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5360
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1464
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:436
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5332
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1208
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2600
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1716
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5324
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1540
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:6104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5204
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5848
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2904
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:6072
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5180
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6024
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:6064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5832
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5580
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5160
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5636
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2156
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5652
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2316
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5616
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5908
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3496
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6120
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5504
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:724
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2756
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:6052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5948
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5480
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5396
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3508
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:6124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4268
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3980
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5200
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3136
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2596
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3124
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4448,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
de64f94df99e6a9a5a20cb61b051c124

SHA1
841961df40211a53233a4175b7c7918ff74f851c

SHA256
442101bb69ad32a9f518f62b4a059d45267bf625d6559a651721dfdd92d3b632

SHA512
e9308e8c74f863582327d6c151481fb391675104eef3d3e8b725e7df338848bb1292bac4da0b0620058ca16b484142338f2d414e9dd12ed7e743ca4ed05ba17a

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
b28c99f87d6ba08327404c7592bb33fc

SHA1
85387bdfaee80c09f075a867115ec82970fc414c

SHA256
a733020d253d4e8ee0338ab2bb046cfa5e34e965cd82fcbd3a03a0a8a67a601f

SHA512
791260a6cc981b39b19e37098ed287780d6163c62d267bf9d037389ae71f3a5b82789b61fab1a17172037c2156fe6acd97c0a35d0e307adff2d345181f984215

Download Submit
memory/396-1681-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/404-4465-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/412-792-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/508-3150-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/760-3764-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/888-1541-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1040-1686-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1040-726-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1100-1461-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1100-547-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1144-1132-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1236-4598-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1508-2598-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-4590-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1840-1374-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1940-4012-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2060-4166-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-3447-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-3593-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2320-3417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2320-3288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2324-1009-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2368-4339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2536-1973-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2536-1850-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2588-958-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2596-5240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-4359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-5250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-4800-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-4919-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-4837-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2800-4834-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2904-4123-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3056-1055-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3260-4318-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3436-4327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3508-4943-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3512-1778-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3512-781-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3536-1758-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3636-1629-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3636-1463-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3668-1246-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3928-4347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3972-64-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3972-69-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3980-5219-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3996-2302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3996-2411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-1844-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4084-1455-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4116-827-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4140-3793-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4140-3789-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4192-3067-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4192-3213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4232-1189-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4348-1549-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4348-627-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4536-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4596-5080-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-2840-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4964-1775-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4972-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-462-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5004-0-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/5004-27-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5004-22-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/5004-21-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5168-4846-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5260-4606-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5284-1776-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5296-1546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5296-1548-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/5296-1551-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5324-4098-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5332-3891-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5332-3619-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5392-4623-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5412-2195-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5452-4616-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5488-2723-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5540-4475-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5616-4580-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5644-2173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5728-4952-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5780-3048-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5780-2954-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5792-2579-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5872-4571-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5880-4444-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5904-4816-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5916-1827-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5936-1905-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6024-4297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6104-5092-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download