pony | 5e82e68c3d022ca354da812ce93547d8e7e162ad12291b1d9e0fc172b1ea20de

Analysis

max time kernel
111s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe
Size

2.2MB
MD5

cf884470fa9dc9fd51d1d0359a8a5377
SHA1

4d8a4fcb0b63cb6baac5cfb5e17fd85558eb6956
SHA256

5e82e68c3d022ca354da812ce93547d8e7e162ad12291b1d9e0fc172b1ea20de
SHA512

178656f08dd50e350582ea940fcd48562e8a941e6d7cce83f5be8787759bc4ba1f304f9fc4274cc28d8ee7594df6f9fd3693ed6a4c93b153cb53cd3dfd7d17de
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZP:0UzeyQMS4DqodCnoe+iitjWwwr

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe

Executes dropped EXE 63 IoCs

pid	Process
4592	explorer.exe
4392	explorer.exe
4380	spoolsv.exe
2992	spoolsv.exe
4344	spoolsv.exe
1056	spoolsv.exe
1064	spoolsv.exe
2044	spoolsv.exe
4712	spoolsv.exe
4448	spoolsv.exe
2468	spoolsv.exe
1280	spoolsv.exe
396	spoolsv.exe
2068	spoolsv.exe
1464	spoolsv.exe
4944	spoolsv.exe
3532	spoolsv.exe
1640	spoolsv.exe
1112	spoolsv.exe
876	spoolsv.exe
2340	spoolsv.exe
5068	spoolsv.exe
4520	spoolsv.exe
2588	spoolsv.exe
4900	spoolsv.exe
368	spoolsv.exe
1856	spoolsv.exe
708	explorer.exe
3976	spoolsv.exe
3988	spoolsv.exe
1868	spoolsv.exe
4588	spoolsv.exe
3696	explorer.exe
3444	spoolsv.exe
4032	spoolsv.exe
5080	spoolsv.exe
4772	spoolsv.exe
1596	explorer.exe
3584	spoolsv.exe
2832	spoolsv.exe
2716	spoolsv.exe
4360	explorer.exe
4304	spoolsv.exe
4048	spoolsv.exe
4132	spoolsv.exe
4580	explorer.exe
1572	spoolsv.exe
3004	spoolsv.exe
1220	spoolsv.exe
4416	explorer.exe
3156	spoolsv.exe
2712	spoolsv.exe
1452	spoolsv.exe
4544	spoolsv.exe
620	explorer.exe
4300	spoolsv.exe
3480	spoolsv.exe
4400	spoolsv.exe
3196	explorer.exe
3404	spoolsv.exe
5040	spoolsv.exe
3480	spoolsv.exe
4860	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 22 IoCs

description	pid	Process	procid_target
PID 1532 set thread context of 2952	1532	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe	94
PID 4592 set thread context of 4392	4592	explorer.exe	99
PID 4380 set thread context of 1856	4380	spoolsv.exe	124
PID 2992 set thread context of 3976	2992	spoolsv.exe	126
PID 4344 set thread context of 1868	4344	spoolsv.exe	128
PID 1056 set thread context of 4588	1056	spoolsv.exe	129
PID 1064 set thread context of 3444	1064	spoolsv.exe	131
PID 2044 set thread context of 5080	2044	spoolsv.exe	133
PID 4712 set thread context of 4772	4712	spoolsv.exe	134
PID 4448 set thread context of 2832	4448	spoolsv.exe	138
PID 2468 set thread context of 2716	2468	spoolsv.exe	139
PID 1280 set thread context of 4304	1280	spoolsv.exe	141
PID 396 set thread context of 4132	396	spoolsv.exe	143
PID 2068 set thread context of 1572	2068	spoolsv.exe	145
PID 1464 set thread context of 1220	1464	spoolsv.exe	147
PID 4944 set thread context of 3156	4944	spoolsv.exe	149
PID 3532 set thread context of 1452	3532	spoolsv.exe	151
PID 1640 set thread context of 4544	1640	spoolsv.exe	152
PID 1112 set thread context of 3480	1112	spoolsv.exe	160
PID 876 set thread context of 4400	876	spoolsv.exe	156
PID 2340 set thread context of 5040	2340	spoolsv.exe	159
PID 5068 set thread context of 3480	5068	spoolsv.exe	160

Drops file in Windows directory 44 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2952	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe
2952	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
2952	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe
2952	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
4392	explorer.exe
1856	spoolsv.exe
1856	spoolsv.exe
3976	spoolsv.exe
3976	spoolsv.exe
1868	spoolsv.exe
1868	spoolsv.exe
4588	spoolsv.exe
4588	spoolsv.exe
3444	spoolsv.exe
3444	spoolsv.exe
5080	spoolsv.exe
5080	spoolsv.exe
4772	spoolsv.exe
4772	spoolsv.exe
2832	spoolsv.exe
2832	spoolsv.exe
2716	spoolsv.exe
2716	spoolsv.exe
4304	spoolsv.exe
4304	spoolsv.exe
4132	spoolsv.exe
4132	spoolsv.exe
1572	spoolsv.exe
1572	spoolsv.exe
1220	spoolsv.exe
1220	spoolsv.exe
3156	spoolsv.exe
3156	spoolsv.exe
1452	spoolsv.exe
1452	spoolsv.exe
4544	spoolsv.exe
4544	spoolsv.exe
3480	spoolsv.exe
3480	spoolsv.exe
4400	spoolsv.exe
4400	spoolsv.exe
5040	spoolsv.exe
5040	spoolsv.exe
3480	spoolsv.exe
3480	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 5008	1532	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe	83
PID 1532 wrote to memory of 5008	1532	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe	83
PID 1532 wrote to memory of 2952	1532	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe	94
PID 1532 wrote to memory of 2952	1532	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe	94
PID 1532 wrote to memory of 2952	1532	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe	94
PID 1532 wrote to memory of 2952	1532	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe	94
PID 1532 wrote to memory of 2952	1532	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe	94
PID 2952 wrote to memory of 4592	2952	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe	96
PID 2952 wrote to memory of 4592	2952	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe	96
PID 2952 wrote to memory of 4592	2952	cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe	96
PID 4592 wrote to memory of 4392	4592	explorer.exe	99
PID 4592 wrote to memory of 4392	4592	explorer.exe	99
PID 4592 wrote to memory of 4392	4592	explorer.exe	99
PID 4592 wrote to memory of 4392	4592	explorer.exe	99
PID 4592 wrote to memory of 4392	4592	explorer.exe	99
PID 4392 wrote to memory of 4380	4392	explorer.exe	100
PID 4392 wrote to memory of 4380	4392	explorer.exe	100
PID 4392 wrote to memory of 4380	4392	explorer.exe	100
PID 4392 wrote to memory of 2992	4392	explorer.exe	101
PID 4392 wrote to memory of 2992	4392	explorer.exe	101
PID 4392 wrote to memory of 2992	4392	explorer.exe	101
PID 4392 wrote to memory of 4344	4392	explorer.exe	102
PID 4392 wrote to memory of 4344	4392	explorer.exe	102
PID 4392 wrote to memory of 4344	4392	explorer.exe	102
PID 4392 wrote to memory of 1056	4392	explorer.exe	103
PID 4392 wrote to memory of 1056	4392	explorer.exe	103
PID 4392 wrote to memory of 1056	4392	explorer.exe	103
PID 4392 wrote to memory of 1064	4392	explorer.exe	104
PID 4392 wrote to memory of 1064	4392	explorer.exe	104
PID 4392 wrote to memory of 1064	4392	explorer.exe	104
PID 4392 wrote to memory of 2044	4392	explorer.exe	105
PID 4392 wrote to memory of 2044	4392	explorer.exe	105
PID 4392 wrote to memory of 2044	4392	explorer.exe	105
PID 4392 wrote to memory of 4712	4392	explorer.exe	106
PID 4392 wrote to memory of 4712	4392	explorer.exe	106
PID 4392 wrote to memory of 4712	4392	explorer.exe	106
PID 4392 wrote to memory of 4448	4392	explorer.exe	107
PID 4392 wrote to memory of 4448	4392	explorer.exe	107
PID 4392 wrote to memory of 4448	4392	explorer.exe	107
PID 4392 wrote to memory of 2468	4392	explorer.exe	108
PID 4392 wrote to memory of 2468	4392	explorer.exe	108
PID 4392 wrote to memory of 2468	4392	explorer.exe	108
PID 4392 wrote to memory of 1280	4392	explorer.exe	109
PID 4392 wrote to memory of 1280	4392	explorer.exe	109
PID 4392 wrote to memory of 1280	4392	explorer.exe	109
PID 4392 wrote to memory of 396	4392	explorer.exe	110
PID 4392 wrote to memory of 396	4392	explorer.exe	110
PID 4392 wrote to memory of 396	4392	explorer.exe	110
PID 4392 wrote to memory of 2068	4392	explorer.exe	111
PID 4392 wrote to memory of 2068	4392	explorer.exe	111
PID 4392 wrote to memory of 2068	4392	explorer.exe	111
PID 4392 wrote to memory of 1464	4392	explorer.exe	112
PID 4392 wrote to memory of 1464	4392	explorer.exe	112
PID 4392 wrote to memory of 1464	4392	explorer.exe	112
PID 4392 wrote to memory of 4944	4392	explorer.exe	113
PID 4392 wrote to memory of 4944	4392	explorer.exe	113
PID 4392 wrote to memory of 4944	4392	explorer.exe	113
PID 4392 wrote to memory of 3532	4392	explorer.exe	114
PID 4392 wrote to memory of 3532	4392	explorer.exe	114
PID 4392 wrote to memory of 3532	4392	explorer.exe	114
PID 4392 wrote to memory of 1640	4392	explorer.exe	115
PID 4392 wrote to memory of 1640	4392	explorer.exe	115
PID 4392 wrote to memory of 1640	4392	explorer.exe	115
PID 4392 wrote to memory of 1112	4392	explorer.exe	116

C:\Users\Admin\AppData\Local\Temp\cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:5008
- C:\Users\Admin\AppData\Local\Temp\cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\cf884470fa9dc9fd51d1d0359a8a5377_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2952
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4380
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:708
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2992
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4344
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1056
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4588
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1064
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2044
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4712
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4772
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4448
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2468
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1280
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:396
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4132
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2068
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1464
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4944
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3532
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1640
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4544
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:620
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1112
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4400
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2340
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5068
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3480
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4520
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2588
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4900
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4760
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:860
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:368
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1544
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1068
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3988
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:648
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2848
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4032
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2864
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3584
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:912
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4048
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2944
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3004
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2692
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2712
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4484
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4300
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4996
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3404
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2456
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4704
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3844
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4228
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3428
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1428
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5032
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3948
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4224
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3172
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2636
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
69f8bc133094563f5c3309a20c31c9a6

SHA1
4285c1263d1286064c42c62f3e8e1c2ddc9c9dd5

SHA256
68134654b85cd78c9c1f54a518e3b595dde286a81665d78bdaeffd9eab451a62

SHA512
21a66318462eb5bf76b90fe0d8cfa5487a6f7789cb2b7051ca8ec8203287bf6ecc5ad2661cfb3f062d5a89d4c608319fd248bb7d1e38969ce2922f8e6854bebb

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
2.2MB

MD5
3eaa257e8bfe81a3ec9f1cbf853a703d

SHA1
e41cf7a3ab0b0a2e5d5b0a6ae6f92ad684b6fa4a

SHA256
6cefac966e9bd6b7be2c48459127cab934947f6d9c6ea5839d067bfa3f8baede

SHA512
e675a006e3135f3127c1b82ac0f9456ee71be4a74da1eeedeefd6aa422cee32bf84f88eb37fc23e1fab5c95e23a86543bd32d0e7a43dea4dc015a1c0e765306c

Download Submit
memory/396-1238-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/648-3492-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/648-3365-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/876-1685-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/912-3888-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/912-3716-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1044-4867-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-1763-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1056-803-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1064-874-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1068-2886-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1112-1606-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1220-2493-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1280-1166-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1432-3950-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1452-2451-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1452-2447-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1464-1448-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1508-4651-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1532-32-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1532-0-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1532-39-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1532-31-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1544-3163-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1544-3276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1572-2230-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1572-2234-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-1598-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1712-4973-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1856-1759-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1856-1599-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1868-1695-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1868-1692-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1924-3793-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2044-930-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2068-1305-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2340-1765-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2456-4698-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2456-4590-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2468-1150-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2636-4979-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2692-4074-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-2094-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-2205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-4882-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-4886-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-2009-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-3692-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2888-4846-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2944-3929-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2944-4048-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-78-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-1610-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2992-734-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3076-2873-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3156-2367-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3256-4836-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3260-4823-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3384-3645-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3444-1786-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3472-4479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3480-2923-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3480-2818-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3480-2568-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3532-1587-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3844-4949-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3924-3454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3976-1611-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/3976-1608-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3976-1613-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4132-2341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4292-4736-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4304-2105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4344-792-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4344-1696-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4380-543-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4380-1600-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4392-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4392-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4400-2801-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4400-2651-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4448-1109-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4484-4311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-2511-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-2616-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-3303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-1766-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-1919-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4592-84-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4592-90-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4596-4233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4712-991-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4772-1937-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-2077-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4944-1510-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4996-4466-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4996-4572-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5040-2734-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5040-2737-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5068-1778-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5080-1854-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download