pony | c29176d8270b3db5357294bb8250ccb96118abd9cf108fd6bc2908a554c600e8

Analysis

max time kernel
96s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe
Size

2.2MB
MD5

f2fb972b31c5ae7e59e250cbaaeb59f4
SHA1

f1b45ab20c42bb31e3652593e593e6c4bbf79b3c
SHA256

c29176d8270b3db5357294bb8250ccb96118abd9cf108fd6bc2908a554c600e8
SHA512

13907c35858623bfadea013de29ad84ceacff2460d65b704481ea572efebebf04e5398c5758c08bbd92ff127647b3edc5f1867e071e01bbe12bd2effff4f4a05
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZy:0UzeyQMS4DqodCnoe+iitjWwwu

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe

Executes dropped EXE 48 IoCs

pid	Process
2364	explorer.exe
2648	explorer.exe
628	spoolsv.exe
2320	spoolsv.exe
3292	spoolsv.exe
1604	spoolsv.exe
1436	spoolsv.exe
3980	spoolsv.exe
2380	spoolsv.exe
3012	spoolsv.exe
3448	spoolsv.exe
2196	spoolsv.exe
2872	spoolsv.exe
1204	spoolsv.exe
516	spoolsv.exe
4560	spoolsv.exe
4360	spoolsv.exe
2240	spoolsv.exe
4320	spoolsv.exe
3592	spoolsv.exe
4340	spoolsv.exe
3672	spoolsv.exe
2064	spoolsv.exe
876	spoolsv.exe
2688	spoolsv.exe
2184	spoolsv.exe
2796	spoolsv.exe
4588	explorer.exe
2972	spoolsv.exe
5080	spoolsv.exe
4592	spoolsv.exe
3404	spoolsv.exe
1364	explorer.exe
1620	spoolsv.exe
2708	spoolsv.exe
2420	explorer.exe
5200	spoolsv.exe
5496	spoolsv.exe
5548	explorer.exe
5620	spoolsv.exe
5960	spoolsv.exe
5264	spoolsv.exe
5368	spoolsv.exe
5444	explorer.exe
5700	spoolsv.exe
6092	spoolsv.exe
5576	explorer.exe
3496	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 3160 set thread context of 4540	3160	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe	99
PID 2364 set thread context of 2648	2364	explorer.exe	103
PID 628 set thread context of 2796	628	spoolsv.exe	128
PID 2320 set thread context of 5080	2320	spoolsv.exe	131
PID 3292 set thread context of 3404	3292	spoolsv.exe	133
PID 1604 set thread context of 2708	1604	spoolsv.exe	136
PID 1436 set thread context of 5496	1436	spoolsv.exe	139
PID 3980 set thread context of 5620	3980	spoolsv.exe	141
PID 2380 set thread context of 5368	2380	spoolsv.exe	144
PID 3012 set thread context of 6092	3012	spoolsv.exe	147

Drops file in Windows directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4540	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe
4540	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
4540	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe
4540	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2648	explorer.exe
2796	spoolsv.exe
2796	spoolsv.exe
5080	spoolsv.exe
5080	spoolsv.exe
3404	spoolsv.exe
3404	spoolsv.exe
2708	spoolsv.exe
2708	spoolsv.exe
5496	spoolsv.exe
5496	spoolsv.exe
5620	spoolsv.exe
5620	spoolsv.exe
5368	spoolsv.exe
5368	spoolsv.exe
6092	spoolsv.exe
6092	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 4656	3160	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe	89
PID 3160 wrote to memory of 4656	3160	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe	89
PID 3160 wrote to memory of 4540	3160	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe	99
PID 3160 wrote to memory of 4540	3160	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe	99
PID 3160 wrote to memory of 4540	3160	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe	99
PID 3160 wrote to memory of 4540	3160	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe	99
PID 3160 wrote to memory of 4540	3160	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe	99
PID 4540 wrote to memory of 2364	4540	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe	100
PID 4540 wrote to memory of 2364	4540	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe	100
PID 4540 wrote to memory of 2364	4540	f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe	100
PID 2364 wrote to memory of 2648	2364	explorer.exe	103
PID 2364 wrote to memory of 2648	2364	explorer.exe	103
PID 2364 wrote to memory of 2648	2364	explorer.exe	103
PID 2364 wrote to memory of 2648	2364	explorer.exe	103
PID 2364 wrote to memory of 2648	2364	explorer.exe	103
PID 2648 wrote to memory of 628	2648	explorer.exe	104
PID 2648 wrote to memory of 628	2648	explorer.exe	104
PID 2648 wrote to memory of 628	2648	explorer.exe	104
PID 2648 wrote to memory of 2320	2648	explorer.exe	105
PID 2648 wrote to memory of 2320	2648	explorer.exe	105
PID 2648 wrote to memory of 2320	2648	explorer.exe	105
PID 2648 wrote to memory of 3292	2648	explorer.exe	106
PID 2648 wrote to memory of 3292	2648	explorer.exe	106
PID 2648 wrote to memory of 3292	2648	explorer.exe	106
PID 2648 wrote to memory of 1604	2648	explorer.exe	107
PID 2648 wrote to memory of 1604	2648	explorer.exe	107
PID 2648 wrote to memory of 1604	2648	explorer.exe	107
PID 2648 wrote to memory of 1436	2648	explorer.exe	108
PID 2648 wrote to memory of 1436	2648	explorer.exe	108
PID 2648 wrote to memory of 1436	2648	explorer.exe	108
PID 2648 wrote to memory of 3980	2648	explorer.exe	109
PID 2648 wrote to memory of 3980	2648	explorer.exe	109
PID 2648 wrote to memory of 3980	2648	explorer.exe	109
PID 2648 wrote to memory of 2380	2648	explorer.exe	110
PID 2648 wrote to memory of 2380	2648	explorer.exe	110
PID 2648 wrote to memory of 2380	2648	explorer.exe	110
PID 2648 wrote to memory of 3012	2648	explorer.exe	111
PID 2648 wrote to memory of 3012	2648	explorer.exe	111
PID 2648 wrote to memory of 3012	2648	explorer.exe	111
PID 2648 wrote to memory of 3448	2648	explorer.exe	112
PID 2648 wrote to memory of 3448	2648	explorer.exe	112
PID 2648 wrote to memory of 3448	2648	explorer.exe	112
PID 2648 wrote to memory of 2196	2648	explorer.exe	113
PID 2648 wrote to memory of 2196	2648	explorer.exe	113
PID 2648 wrote to memory of 2196	2648	explorer.exe	113
PID 2648 wrote to memory of 2872	2648	explorer.exe	114
PID 2648 wrote to memory of 2872	2648	explorer.exe	114
PID 2648 wrote to memory of 2872	2648	explorer.exe	114
PID 2648 wrote to memory of 1204	2648	explorer.exe	115
PID 2648 wrote to memory of 1204	2648	explorer.exe	115
PID 2648 wrote to memory of 1204	2648	explorer.exe	115
PID 2648 wrote to memory of 516	2648	explorer.exe	116
PID 2648 wrote to memory of 516	2648	explorer.exe	116
PID 2648 wrote to memory of 516	2648	explorer.exe	116
PID 2648 wrote to memory of 4560	2648	explorer.exe	117
PID 2648 wrote to memory of 4560	2648	explorer.exe	117
PID 2648 wrote to memory of 4560	2648	explorer.exe	117
PID 2648 wrote to memory of 4360	2648	explorer.exe	118
PID 2648 wrote to memory of 4360	2648	explorer.exe	118
PID 2648 wrote to memory of 4360	2648	explorer.exe	118
PID 2648 wrote to memory of 2240	2648	explorer.exe	119
PID 2648 wrote to memory of 2240	2648	explorer.exe	119
PID 2648 wrote to memory of 2240	2648	explorer.exe	119
PID 2648 wrote to memory of 4320	2648	explorer.exe	120

C:\Users\Admin\AppData\Local\Temp\f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4656
- C:\Users\Admin\AppData\Local\Temp\f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f2fb972b31c5ae7e59e250cbaaeb59f4_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4540
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:628
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2320
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3292
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3404
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:6128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1604
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1436
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5496
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3980
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2380
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5368
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5444
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3012
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6092
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3448
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5356
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:6012
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:6120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2196
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5508
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:6100
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2872
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5124
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3876
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1204
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5896
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5904
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:516
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5396
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5388
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4560
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4360
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5408
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3008
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2240
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1524
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2860
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4320
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3592
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5880
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5136
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:6108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4340
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5760
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1468
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3672
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5300
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5176
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2064
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4332
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1804
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2688
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2184
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3724
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:6136
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2972
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4592
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1620
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5200
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5864
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5960
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5264
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5700
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3496
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5852
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5056
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5860
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5944
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5600
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3400
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5848
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5828
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5728
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5236
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3972
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3372
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1856
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2836
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4784
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:8
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
cd1a328fd0d53b365c6730308c414a0d

SHA1
8a0d7a5b3a24e982d4f4d11e8ea1b8562a974604

SHA256
6295dc08d089c6841a7ff8535cf5250803ca03b37611963e82924c28c080ca67

SHA512
92d636a45e3aec8e850d2a912ea0c3ee6f3dc687f49b9074a87c3ca4fe0fd1aeee3604eff2e686f6fe858e2501718b3beebd2b2d32d1e27bb70162a1ae770d00

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
1371362f3c9984a964785e5c120cd1bf

SHA1
a802bdc0573d6ba6ad9369ee055aeb90ce9526d7

SHA256
51b411b1472fe77a77624a4db04b2158155f310c03190b08066664b4e73b50fa

SHA512
8af8a7d958c4f29a0fd425ea664961db9b7edb2c904c8dd4b430a4c106479b38d1b9ebb1cb59f600b393c27a444f9fa26926222793b88f9bc94e5fb54425fe55

Download Submit
memory/516-1293-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/556-4506-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/628-1469-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/628-495-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/808-4307-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1172-4584-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1180-4217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1204-1271-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1436-823-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1524-3501-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1604-766-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1604-1799-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1676-4651-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1896-4482-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2196-1102-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2240-1542-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2320-651-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2320-1559-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2336-4577-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2364-65-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2364-59-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2380-982-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2500-4110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2708-1798-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2796-1467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2796-1582-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/2796-1604-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-1209-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3012-994-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3160-21-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3160-22-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/3160-29-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3160-0-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/3188-4736-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3292-691-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3292-1672-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3384-3141-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3384-3137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3400-4546-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3404-1782-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-1055-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3592-1749-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3632-4182-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3724-4256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3820-4557-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3824-4564-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3940-4330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3980-870-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4304-4359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4320-1666-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4332-4079-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4332-3960-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4340-1906-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4360-1462-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4540-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4540-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4560-1380-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5080-1561-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5080-1547-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5124-2804-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5124-2907-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5240-4666-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5276-4516-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5284-4502-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5300-3944-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5300-3885-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5356-2648-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5356-2530-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5368-2310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5396-3208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5408-3331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5408-3227-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5496-2078-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5500-4661-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5508-2667-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5516-4643-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5556-3967-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5556-3971-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5620-1965-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5620-1962-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5632-5304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5648-4195-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5744-4338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5760-3865-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5780-4606-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5856-3471-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5864-4319-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5880-3596-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5896-3021-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5896-2926-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5992-4539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6092-2458-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6092-2329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6108-4626-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6120-4472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6128-4206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download