pony | 60a468b9e754e03b542c0b3290fa0d002d54901f3086ac5d42bae9a4d80c457b

Analysis

max time kernel
115s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
Size

2.2MB
MD5

059a66ce1c5b8bbb68ce6319977a0417
SHA1

1267a1325ed4fd9412637e3044432b586570d3f8
SHA256

60a468b9e754e03b542c0b3290fa0d002d54901f3086ac5d42bae9a4d80c457b
SHA512

8021172356cdddd9e6455f2f37dc6c23b5e81fd53e68232410c28fc05babaac5fe44a060c019c879095a5459b280c113e2b5ed4501acc7cd8c9ada90eb7c0c93
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZi:0UzeyQMS4DqodCnoe+iitjWwwm

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Drops startup file 2 IoCs

Processes:

059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe

Executes dropped EXE 25 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1368	explorer.exe
4928	explorer.exe
3548	spoolsv.exe
4136	spoolsv.exe
2344	spoolsv.exe
1368	spoolsv.exe
2240	spoolsv.exe
4564	spoolsv.exe
696	spoolsv.exe
3220	spoolsv.exe
1648	spoolsv.exe
2244	spoolsv.exe
2512	spoolsv.exe
3728	spoolsv.exe
3400	spoolsv.exe
1316	spoolsv.exe
3784	explorer.exe
1016	spoolsv.exe
880	spoolsv.exe
1064	spoolsv.exe
4548	spoolsv.exe
2096	explorer.exe
3524	spoolsv.exe
3920	spoolsv.exe
2372	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1572 set thread context of 4956	1572	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
PID 1368 set thread context of 4928	1368	explorer.exe	explorer.exe
PID 3548 set thread context of 1316	3548	spoolsv.exe	spoolsv.exe
PID 4136 set thread context of 880	4136	spoolsv.exe	spoolsv.exe
PID 2344 set thread context of 4548	2344	spoolsv.exe	spoolsv.exe
PID 1368 set thread context of 3920	1368	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 23 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exe059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exeexplorer.exe

pid	process
4956	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
4956	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4956	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
4956	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
4928	explorer.exe
1316	spoolsv.exe
1316	spoolsv.exe
880	spoolsv.exe
880	spoolsv.exe
4548	spoolsv.exe
4548	spoolsv.exe
3920	spoolsv.exe
3920	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1572 wrote to memory of 3416	1572	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe	splwow64.exe
PID 1572 wrote to memory of 3416	1572	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe	splwow64.exe
PID 1572 wrote to memory of 4956	1572	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
PID 1572 wrote to memory of 4956	1572	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
PID 1572 wrote to memory of 4956	1572	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
PID 1572 wrote to memory of 4956	1572	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
PID 1572 wrote to memory of 4956	1572	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
PID 4956 wrote to memory of 1368	4956	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe	explorer.exe
PID 4956 wrote to memory of 1368	4956	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe	explorer.exe
PID 4956 wrote to memory of 1368	4956	059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe	explorer.exe
PID 1368 wrote to memory of 4928	1368	explorer.exe	explorer.exe
PID 1368 wrote to memory of 4928	1368	explorer.exe	explorer.exe
PID 1368 wrote to memory of 4928	1368	explorer.exe	explorer.exe
PID 1368 wrote to memory of 4928	1368	explorer.exe	explorer.exe
PID 1368 wrote to memory of 4928	1368	explorer.exe	explorer.exe
PID 4928 wrote to memory of 3548	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 3548	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 3548	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 4136	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 4136	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 4136	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 2344	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 2344	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 2344	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 1368	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 1368	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 1368	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 2240	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 2240	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 2240	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 4564	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 4564	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 4564	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 696	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 696	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 696	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 3220	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 3220	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 3220	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 1648	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 1648	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 1648	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 2244	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 2244	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 2244	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 2512	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 2512	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 2512	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 3728	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 3728	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 3728	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 3400	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 3400	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 3400	4928	explorer.exe	spoolsv.exe
PID 3548 wrote to memory of 1316	3548	spoolsv.exe	spoolsv.exe
PID 3548 wrote to memory of 1316	3548	spoolsv.exe	spoolsv.exe
PID 3548 wrote to memory of 1316	3548	spoolsv.exe	spoolsv.exe
PID 3548 wrote to memory of 1316	3548	spoolsv.exe	spoolsv.exe
PID 3548 wrote to memory of 1316	3548	spoolsv.exe	spoolsv.exe
PID 1316 wrote to memory of 3784	1316	spoolsv.exe	explorer.exe
PID 1316 wrote to memory of 3784	1316	spoolsv.exe	explorer.exe
PID 1316 wrote to memory of 3784	1316	spoolsv.exe	explorer.exe
PID 4928 wrote to memory of 1016	4928	explorer.exe	spoolsv.exe
PID 4928 wrote to memory of 1016	4928	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\059a66ce1c5b8bbb68ce6319977a0417_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4956

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1368

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3548

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3784

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4136

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2344

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4548

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2096

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1368

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2240

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2412

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:2128

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4564

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4864

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:2440

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:696

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3144

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:4372

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3220

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3636

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1648

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:400

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:4496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2244

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2512

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1256

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:2032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3728

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3400

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:700

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:1324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1016

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1064

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4972

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3524

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2372

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4516

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4908

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4168

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4248

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe
Filesize
2.2MB

MD5
e5c6a68d0d53d560a84badc49fdf0604

SHA1
fb50e74718f16572e608bc8b42321a8a509ddb01

SHA256
9bf0db48b56194b3be068a83d59fc416d53e48b15bc5ac31659144659c34f9a3

SHA512
1618819dece57a315f7892bd2fe97b4b01ee0676fc68f440963b684fc08295a66dcd9114ada1ba0ae03c841432a8a181c74228a7aa936f1cee90795fd17f22ac

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.2MB

MD5
fe3fa4c03543b2629180c13655e169e4

SHA1
155770b6dc7e2f73ef3a9dedf1730efe26454a28

SHA256
e392f79158891afcac5cd489fc66a992211e6d0c54bd4f7108b49cbe934a52b6

SHA512
c2e24c2cddb93e19b4651e7bf99da1b25de39592a2411d972d7c6beb296f275bdec0efae0be3d10aebe008081a6369a4dbd5ec37c3a552bef2c8a86e5e8c170c

Download Submit
memory/400-1883-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-2001-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/696-687-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/700-2305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/700-2422-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/880-926-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1088-2519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1256-2217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1256-2089-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-979-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1316-977-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/1360-2728-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1368-71-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1368-1109-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1368-76-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1368-69-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1368-511-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1572-20-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1572-13-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1572-0-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1572-12-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1572-1-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1648-910-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1696-2178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-576-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2240-1275-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2244-1051-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2316-2543-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2344-435-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2344-1052-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2376-2718-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2412-1278-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2412-1426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2512-1112-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2732-2555-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-2372-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3144-1733-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3144-1610-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3220-835-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3400-1274-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3416-30-0x00007FF9F22F0000-0x00007FF9F22FC000-memory.dmp

Filesize
48KB

Download
memory/3416-29-0x00007FF9E99C0000-0x00007FF9E99E8000-memory.dmp

Filesize
160KB

Download
memory/3548-832-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3548-231-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3608-2536-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3636-1750-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3636-1862-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3728-1272-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3784-1276-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3868-2567-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3900-2319-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3920-1113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4136-368-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4136-909-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4140-2737-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4168-2706-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-1192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-1053-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4564-627-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4864-1592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4864-1445-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4928-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4956-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4956-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4956-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-2439-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4972-2694-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download