pony | 454e582ad2812ff509c403b51346338688a90d54e43fb64d0df9197403f5b6f7

Analysis

max time kernel
103s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe
Size

2.2MB
MD5

dc87d7130991a25da381b43d386a91d4
SHA1

602b6be4ce276d358385e473a423ce0c43eb11c4
SHA256

454e582ad2812ff509c403b51346338688a90d54e43fb64d0df9197403f5b6f7
SHA512

219f3049b5fbb197c6a459f526eb0d0deba921e5b4de6c31f33e16bb80c1e33de8d08eb6ae033dbe65eff7c898146bac88abbe6304ebca047ee71b34edc7e53a
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZI:0UzeyQMS4DqodCnoe+iitjWwwk

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe

Executes dropped EXE 54 IoCs

pid	Process
2060	explorer.exe
4792	explorer.exe
4844	spoolsv.exe
2248	spoolsv.exe
388	spoolsv.exe
3844	spoolsv.exe
4532	spoolsv.exe
1808	spoolsv.exe
3264	spoolsv.exe
4676	spoolsv.exe
3496	spoolsv.exe
4752	spoolsv.exe
4924	spoolsv.exe
3856	spoolsv.exe
3224	spoolsv.exe
1832	spoolsv.exe
4800	spoolsv.exe
2060	spoolsv.exe
4856	spoolsv.exe
4508	spoolsv.exe
4704	spoolsv.exe
2728	spoolsv.exe
964	spoolsv.exe
1312	spoolsv.exe
3316	spoolsv.exe
4468	explorer.exe
896	spoolsv.exe
4872	spoolsv.exe
2676	explorer.exe
2900	spoolsv.exe
4916	spoolsv.exe
4460	spoolsv.exe
1664	spoolsv.exe
1928	spoolsv.exe
5052	explorer.exe
3668	spoolsv.exe
2780	spoolsv.exe
5036	explorer.exe
1180	spoolsv.exe
1112	spoolsv.exe
4552	explorer.exe
4064	spoolsv.exe
1080	spoolsv.exe
1032	spoolsv.exe
1152	spoolsv.exe
4164	explorer.exe
5200	spoolsv.exe
5340	spoolsv.exe
5400	explorer.exe
5624	spoolsv.exe
5688	spoolsv.exe
3972	spoolsv.exe
2588	spoolsv.exe
5168	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 1916 set thread context of 4268	1916	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe	103
PID 2060 set thread context of 4792	2060	explorer.exe	107
PID 4844 set thread context of 3316	4844	spoolsv.exe	130
PID 2248 set thread context of 4872	2248	spoolsv.exe	133
PID 388 set thread context of 4916	388	spoolsv.exe	136
PID 3844 set thread context of 4460	3844	spoolsv.exe	137
PID 4532 set thread context of 1928	4532	spoolsv.exe	139
PID 1808 set thread context of 2780	1808	spoolsv.exe	142
PID 3264 set thread context of 1112	3264	spoolsv.exe	145
PID 4676 set thread context of 1080	4676	spoolsv.exe	148
PID 3496 set thread context of 1152	3496	spoolsv.exe	150
PID 4752 set thread context of 5340	4752	spoolsv.exe	153
PID 4924 set thread context of 5688	4924	spoolsv.exe	156
PID 3856 set thread context of 2588	3856	spoolsv.exe	158

Drops file in Windows directory 43 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 56 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4268	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe
4268	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
4268	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe
4268	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
4792	explorer.exe
3316	spoolsv.exe
3316	spoolsv.exe
4872	spoolsv.exe
4872	spoolsv.exe
4916	spoolsv.exe
4916	spoolsv.exe
4460	spoolsv.exe
4460	spoolsv.exe
1928	spoolsv.exe
1928	spoolsv.exe
2780	spoolsv.exe
2780	spoolsv.exe
1112	spoolsv.exe
1112	spoolsv.exe
1080	spoolsv.exe
1080	spoolsv.exe
1152	spoolsv.exe
1152	spoolsv.exe
5340	spoolsv.exe
5340	spoolsv.exe
5688	spoolsv.exe
5688	spoolsv.exe
2588	spoolsv.exe
2588	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 3864	1916	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe	90
PID 1916 wrote to memory of 3864	1916	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe	90
PID 1916 wrote to memory of 4268	1916	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe	103
PID 1916 wrote to memory of 4268	1916	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe	103
PID 1916 wrote to memory of 4268	1916	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe	103
PID 1916 wrote to memory of 4268	1916	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe	103
PID 1916 wrote to memory of 4268	1916	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe	103
PID 4268 wrote to memory of 2060	4268	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe	104
PID 4268 wrote to memory of 2060	4268	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe	104
PID 4268 wrote to memory of 2060	4268	dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe	104
PID 2060 wrote to memory of 4792	2060	explorer.exe	107
PID 2060 wrote to memory of 4792	2060	explorer.exe	107
PID 2060 wrote to memory of 4792	2060	explorer.exe	107
PID 2060 wrote to memory of 4792	2060	explorer.exe	107
PID 2060 wrote to memory of 4792	2060	explorer.exe	107
PID 4792 wrote to memory of 4844	4792	explorer.exe	108
PID 4792 wrote to memory of 4844	4792	explorer.exe	108
PID 4792 wrote to memory of 4844	4792	explorer.exe	108
PID 4792 wrote to memory of 2248	4792	explorer.exe	109
PID 4792 wrote to memory of 2248	4792	explorer.exe	109
PID 4792 wrote to memory of 2248	4792	explorer.exe	109
PID 4792 wrote to memory of 388	4792	explorer.exe	110
PID 4792 wrote to memory of 388	4792	explorer.exe	110
PID 4792 wrote to memory of 388	4792	explorer.exe	110
PID 4792 wrote to memory of 3844	4792	explorer.exe	111
PID 4792 wrote to memory of 3844	4792	explorer.exe	111
PID 4792 wrote to memory of 3844	4792	explorer.exe	111
PID 4792 wrote to memory of 4532	4792	explorer.exe	112
PID 4792 wrote to memory of 4532	4792	explorer.exe	112
PID 4792 wrote to memory of 4532	4792	explorer.exe	112
PID 4792 wrote to memory of 1808	4792	explorer.exe	113
PID 4792 wrote to memory of 1808	4792	explorer.exe	113
PID 4792 wrote to memory of 1808	4792	explorer.exe	113
PID 4792 wrote to memory of 3264	4792	explorer.exe	114
PID 4792 wrote to memory of 3264	4792	explorer.exe	114
PID 4792 wrote to memory of 3264	4792	explorer.exe	114
PID 4792 wrote to memory of 4676	4792	explorer.exe	115
PID 4792 wrote to memory of 4676	4792	explorer.exe	115
PID 4792 wrote to memory of 4676	4792	explorer.exe	115
PID 4792 wrote to memory of 3496	4792	explorer.exe	116
PID 4792 wrote to memory of 3496	4792	explorer.exe	116
PID 4792 wrote to memory of 3496	4792	explorer.exe	116
PID 4792 wrote to memory of 4752	4792	explorer.exe	117
PID 4792 wrote to memory of 4752	4792	explorer.exe	117
PID 4792 wrote to memory of 4752	4792	explorer.exe	117
PID 4792 wrote to memory of 4924	4792	explorer.exe	118
PID 4792 wrote to memory of 4924	4792	explorer.exe	118
PID 4792 wrote to memory of 4924	4792	explorer.exe	118
PID 4792 wrote to memory of 3856	4792	explorer.exe	119
PID 4792 wrote to memory of 3856	4792	explorer.exe	119
PID 4792 wrote to memory of 3856	4792	explorer.exe	119
PID 4792 wrote to memory of 3224	4792	explorer.exe	120
PID 4792 wrote to memory of 3224	4792	explorer.exe	120
PID 4792 wrote to memory of 3224	4792	explorer.exe	120
PID 4792 wrote to memory of 1832	4792	explorer.exe	121
PID 4792 wrote to memory of 1832	4792	explorer.exe	121
PID 4792 wrote to memory of 1832	4792	explorer.exe	121
PID 4792 wrote to memory of 4800	4792	explorer.exe	122
PID 4792 wrote to memory of 4800	4792	explorer.exe	122
PID 4792 wrote to memory of 4800	4792	explorer.exe	122
PID 4792 wrote to memory of 2060	4792	explorer.exe	123
PID 4792 wrote to memory of 2060	4792	explorer.exe	123
PID 4792 wrote to memory of 2060	4792	explorer.exe	123
PID 4792 wrote to memory of 4856	4792	explorer.exe	124

C:\Users\Admin\AppData\Local\Temp\dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3864
- C:\Users\Admin\AppData\Local\Temp\dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dc87d7130991a25da381b43d386a91d4_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4268
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4844
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3316
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2248
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4872
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:388
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3844
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4532
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1808
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3264
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4676
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3496
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4752
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5340
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5400
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4924
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3856
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3224
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1832
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5760
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5868
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4800
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2428
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1528
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2060
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4856
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1720
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5828
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4508
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4704
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1444
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5348
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2728
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:964
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5592
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5540
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1312
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5292
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:320
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:896
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2900
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5460
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1948
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1664
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3668
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1180
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4264
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4064
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1032
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5200
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5624
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5840
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3972
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5640
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5612
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6044
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5472
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3488
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5680
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1244
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1596
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5664
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2368
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5220
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5856
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5720
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5788
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1840
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3812
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3760,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
1⤵
PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
1cdcbf311f032e7f6bc2fe4610a41abe

SHA1
9d4fb47469df307fee7ebe1a4f98a712b6fc84f5

SHA256
76f681387ab9cc918f461b85d7f28ba009ed36b81c29d84f0a7f38a18efbd6f6

SHA512
eaecd6fa392aec6f8837d43f4c754ff416a7a48b159376e27fc474cbe368284be9e9f1c8fab1083a8af99d8f761a6b7f7c64f0b2abe72989b3dd21dc1303a51c

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
be0f0678673e8f926579a7b1267a1b12

SHA1
4740a226c808b6c438008c82789ee61ec2b37e89

SHA256
6952593cb3157156fffa3986bfbb683561d750c4bfc1e2f55ce81d07c2ff8565

SHA512
a8b03b5af03c36c17ff3549ac56e7db01b74f1a8ffb3391618c908bb0fe4a933c69346fe698b4e6747a4e0223a5f6717ae5134e2d5c250f2284d7721d0b2b31f

Download Submit
memory/388-595-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/388-1509-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/500-4003-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1080-1994-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1112-2047-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1112-1936-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1152-2212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1152-2110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1244-4589-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1244-4736-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1444-3265-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1444-3112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1716-4268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1720-2886-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1720-3025-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-805-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1832-1283-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1916-17-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1916-0-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1916-16-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1916-24-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1928-1757-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2060-65-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2060-1435-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2060-59-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2232-4092-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-594-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2248-1437-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2344-4526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2428-2650-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2428-2786-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2588-2435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-3989-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-1919-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3108-4463-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-4374-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3224-1216-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3264-833-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3316-1416-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3316-1291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3316-1384-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/3332-4937-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3388-4103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3468-4675-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3468-4679-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3496-988-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3528-4691-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3844-1517-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3844-713-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3856-1164-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4228-4394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4232-3761-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-4166-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4264-3960-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4336-5314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-1519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4472-3723-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4508-1643-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4532-759-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4536-3753-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4676-929-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4752-1030-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4792-384-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4792-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4800-1343-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4844-407-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4844-1292-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4856-1500-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4872-1562-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4916-1508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4924-1093-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4928-3628-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4928-3592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5220-4909-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5220-4782-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5256-2449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5264-4832-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5288-4584-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5292-3506-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5292-3616-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5340-2349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5364-3980-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5460-3730-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5592-3487-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5608-2745-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5608-2778-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5612-4363-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5612-4534-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5684-3741-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5688-2302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5716-4381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5748-3519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5760-2643-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5784-3188-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5788-5167-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5804-2985-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5824-4849-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5840-4344-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5848-3972-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5852-3773-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5976-4277-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download