pony | d46b201a9b5fc4c36071395c8e1dcb2ab3ebebec076f798b633baf90106fb86d

Analysis

max time kernel
123s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe
Size

2.2MB
MD5

1ff3a0ee76df1f85841f0c043e228b6d
SHA1

bda03b249d1de7b783022f81a8658b243d94a86f
SHA256

d46b201a9b5fc4c36071395c8e1dcb2ab3ebebec076f798b633baf90106fb86d
SHA512

57151bdcc8c565ed5d86ed60cfb45abf8f9f51882294733421f920e1da8c219ad9fdf37a9aaaad74a1f5ea613af3a22ee464abf05195f897be88f14622bb107e
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZm:0UzeyQMS4DqodCnoe+iitjWwwC

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
2368	explorer.exe
4196	explorer.exe
632	spoolsv.exe
2096	spoolsv.exe
4536	spoolsv.exe
4892	spoolsv.exe
2140	spoolsv.exe
4412	spoolsv.exe
940	spoolsv.exe
396	spoolsv.exe
3004	spoolsv.exe
1268	spoolsv.exe
3140	spoolsv.exe
4380	spoolsv.exe
448	spoolsv.exe
948	spoolsv.exe
4144	spoolsv.exe
3668	spoolsv.exe
3040	spoolsv.exe
1760	spoolsv.exe
1600	spoolsv.exe
5076	spoolsv.exe
552	spoolsv.exe
4468	spoolsv.exe
3680	spoolsv.exe
2584	spoolsv.exe
452	spoolsv.exe
4692	spoolsv.exe
4148	spoolsv.exe
680	spoolsv.exe
1700	spoolsv.exe
4656	explorer.exe
4704	spoolsv.exe
3244	spoolsv.exe
4288	spoolsv.exe
3324	spoolsv.exe
3208	spoolsv.exe
4444	explorer.exe
2308	spoolsv.exe
2420	spoolsv.exe
2056	spoolsv.exe
1784	spoolsv.exe
4500	spoolsv.exe
2868	explorer.exe
384	spoolsv.exe
4644	spoolsv.exe
4392	spoolsv.exe
2232	spoolsv.exe
3480	spoolsv.exe
4160	spoolsv.exe
2980	spoolsv.exe
4496	spoolsv.exe
2988	explorer.exe
2116	spoolsv.exe
3232	spoolsv.exe
1648	spoolsv.exe
3788	spoolsv.exe
3224	explorer.exe
4220	spoolsv.exe
4660	spoolsv.exe
5104	spoolsv.exe
4928	spoolsv.exe
5096	spoolsv.exe
1468	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 34 IoCs

description	pid	Process	procid_target
PID 4552 set thread context of 2836	4552	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe	97
PID 2368 set thread context of 4196	2368	explorer.exe	101
PID 632 set thread context of 1700	632	spoolsv.exe	135
PID 2096 set thread context of 4704	2096	spoolsv.exe	137
PID 4536 set thread context of 3244	4536	spoolsv.exe	138
PID 4892 set thread context of 3324	4892	spoolsv.exe	140
PID 2140 set thread context of 3208	2140	spoolsv.exe	141
PID 4412 set thread context of 2308	4412	spoolsv.exe	143
PID 940 set thread context of 2056	940	spoolsv.exe	145
PID 396 set thread context of 1784	396	spoolsv.exe	146
PID 3004 set thread context of 4500	3004	spoolsv.exe	147
PID 1268 set thread context of 384	1268	spoolsv.exe	149
PID 3140 set thread context of 4644	3140	spoolsv.exe	150
PID 4380 set thread context of 2232	4380	spoolsv.exe	152
PID 448 set thread context of 3480	448	spoolsv.exe	153
PID 948 set thread context of 4160	948	spoolsv.exe	154
PID 4144 set thread context of 2980	4144	spoolsv.exe	155
PID 3668 set thread context of 2116	3668	spoolsv.exe	158
PID 3040 set thread context of 3232	3040	spoolsv.exe	159
PID 1760 set thread context of 3788	1760	spoolsv.exe	162
PID 1600 set thread context of 4220	1600	spoolsv.exe	164
PID 5076 set thread context of 4660	5076	spoolsv.exe	165
PID 552 set thread context of 5104	552	spoolsv.exe	166
PID 4468 set thread context of 5096	4468	spoolsv.exe	168
PID 3680 set thread context of 2680	3680	spoolsv.exe	170
PID 2584 set thread context of 3000	2584	spoolsv.exe	171
PID 452 set thread context of 3844	452	spoolsv.exe	173
PID 4692 set thread context of 3932	4692	spoolsv.exe	175
PID 4148 set thread context of 4784	4148	spoolsv.exe	177
PID 680 set thread context of 4384	680	spoolsv.exe	181
PID 4656 set thread context of 4564	4656	explorer.exe	184
PID 4288 set thread context of 3144	4288	spoolsv.exe	188
PID 4444 set thread context of 3684	4444	explorer.exe	191
PID 2420 set thread context of 5264	2420	spoolsv.exe	197

Drops file in Windows directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2836	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe
2836	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2836	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe
2836	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
4196	explorer.exe
1700	spoolsv.exe
1700	spoolsv.exe
4704	spoolsv.exe
4704	spoolsv.exe
3244	spoolsv.exe
3244	spoolsv.exe
3324	spoolsv.exe
3324	spoolsv.exe
3208	spoolsv.exe
3208	spoolsv.exe
2308	spoolsv.exe
2308	spoolsv.exe
2056	spoolsv.exe
2056	spoolsv.exe
1784	spoolsv.exe
1784	spoolsv.exe
4500	spoolsv.exe
4500	spoolsv.exe
384	spoolsv.exe
384	spoolsv.exe
4644	spoolsv.exe
4644	spoolsv.exe
2232	spoolsv.exe
2232	spoolsv.exe
3480	spoolsv.exe
3480	spoolsv.exe
4160	spoolsv.exe
4160	spoolsv.exe
2980	spoolsv.exe
2980	spoolsv.exe
2116	spoolsv.exe
2116	spoolsv.exe
3232	spoolsv.exe
3232	spoolsv.exe
3788	spoolsv.exe
3788	spoolsv.exe
4220	spoolsv.exe
4220	spoolsv.exe
4660	spoolsv.exe
4660	spoolsv.exe
5104	spoolsv.exe
5104	spoolsv.exe
5096	spoolsv.exe
5096	spoolsv.exe
2680	spoolsv.exe
2680	spoolsv.exe
3000	spoolsv.exe
3000	spoolsv.exe
3844	spoolsv.exe
3844	spoolsv.exe
3932	spoolsv.exe
3932	spoolsv.exe
4784	spoolsv.exe
4784	spoolsv.exe
4384	spoolsv.exe
4384	spoolsv.exe
4564	explorer.exe
4564	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4552 wrote to memory of 3160	4552	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe	83
PID 4552 wrote to memory of 3160	4552	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe	83
PID 4552 wrote to memory of 2836	4552	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe	97
PID 4552 wrote to memory of 2836	4552	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe	97
PID 4552 wrote to memory of 2836	4552	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe	97
PID 4552 wrote to memory of 2836	4552	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe	97
PID 4552 wrote to memory of 2836	4552	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe	97
PID 2836 wrote to memory of 2368	2836	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe	98
PID 2836 wrote to memory of 2368	2836	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe	98
PID 2836 wrote to memory of 2368	2836	1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe	98
PID 2368 wrote to memory of 4196	2368	explorer.exe	101
PID 2368 wrote to memory of 4196	2368	explorer.exe	101
PID 2368 wrote to memory of 4196	2368	explorer.exe	101
PID 2368 wrote to memory of 4196	2368	explorer.exe	101
PID 2368 wrote to memory of 4196	2368	explorer.exe	101
PID 4196 wrote to memory of 632	4196	explorer.exe	102
PID 4196 wrote to memory of 632	4196	explorer.exe	102
PID 4196 wrote to memory of 632	4196	explorer.exe	102
PID 4196 wrote to memory of 2096	4196	explorer.exe	103
PID 4196 wrote to memory of 2096	4196	explorer.exe	103
PID 4196 wrote to memory of 2096	4196	explorer.exe	103
PID 4196 wrote to memory of 4536	4196	explorer.exe	104
PID 4196 wrote to memory of 4536	4196	explorer.exe	104
PID 4196 wrote to memory of 4536	4196	explorer.exe	104
PID 4196 wrote to memory of 4892	4196	explorer.exe	105
PID 4196 wrote to memory of 4892	4196	explorer.exe	105
PID 4196 wrote to memory of 4892	4196	explorer.exe	105
PID 4196 wrote to memory of 2140	4196	explorer.exe	106
PID 4196 wrote to memory of 2140	4196	explorer.exe	106
PID 4196 wrote to memory of 2140	4196	explorer.exe	106
PID 4196 wrote to memory of 4412	4196	explorer.exe	107
PID 4196 wrote to memory of 4412	4196	explorer.exe	107
PID 4196 wrote to memory of 4412	4196	explorer.exe	107
PID 4196 wrote to memory of 940	4196	explorer.exe	108
PID 4196 wrote to memory of 940	4196	explorer.exe	108
PID 4196 wrote to memory of 940	4196	explorer.exe	108
PID 4196 wrote to memory of 396	4196	explorer.exe	109
PID 4196 wrote to memory of 396	4196	explorer.exe	109
PID 4196 wrote to memory of 396	4196	explorer.exe	109
PID 4196 wrote to memory of 3004	4196	explorer.exe	110
PID 4196 wrote to memory of 3004	4196	explorer.exe	110
PID 4196 wrote to memory of 3004	4196	explorer.exe	110
PID 4196 wrote to memory of 1268	4196	explorer.exe	111
PID 4196 wrote to memory of 1268	4196	explorer.exe	111
PID 4196 wrote to memory of 1268	4196	explorer.exe	111
PID 4196 wrote to memory of 3140	4196	explorer.exe	113
PID 4196 wrote to memory of 3140	4196	explorer.exe	113
PID 4196 wrote to memory of 3140	4196	explorer.exe	113
PID 4196 wrote to memory of 4380	4196	explorer.exe	114
PID 4196 wrote to memory of 4380	4196	explorer.exe	114
PID 4196 wrote to memory of 4380	4196	explorer.exe	114
PID 4196 wrote to memory of 448	4196	explorer.exe	116
PID 4196 wrote to memory of 448	4196	explorer.exe	116
PID 4196 wrote to memory of 448	4196	explorer.exe	116
PID 4196 wrote to memory of 948	4196	explorer.exe	119
PID 4196 wrote to memory of 948	4196	explorer.exe	119
PID 4196 wrote to memory of 948	4196	explorer.exe	119
PID 4196 wrote to memory of 4144	4196	explorer.exe	121
PID 4196 wrote to memory of 4144	4196	explorer.exe	121
PID 4196 wrote to memory of 4144	4196	explorer.exe	121
PID 4196 wrote to memory of 3668	4196	explorer.exe	122
PID 4196 wrote to memory of 3668	4196	explorer.exe	122
PID 4196 wrote to memory of 3668	4196	explorer.exe	122
PID 4196 wrote to memory of 3040	4196	explorer.exe	123

C:\Users\Admin\AppData\Local\Temp\1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3160
- C:\Users\Admin\AppData\Local\Temp\1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\1ff3a0ee76df1f85841f0c043e228b6d_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2836
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:632
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4656
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2096
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4536
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4892
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2140
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3208
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4444
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4412
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:940
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:396
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3004
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4500
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2868
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:6104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1268
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3140
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4380
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:448
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:948
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4144
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2988
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:6004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3668
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3040
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1760
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3788
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3224
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1600
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5076
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:552
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4468
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5096
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1468
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3680
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2584
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:452
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3844
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1336
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4692
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4148
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4784
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4524
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:680
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4384
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1296
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4288
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3144
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4428
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2420
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5264
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4392
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5132
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4496
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5908
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1648
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5852
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4928
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5808
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3608
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5700
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4600
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1728
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:624
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5440
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1488
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:372
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1228
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4216
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:6008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2404
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5236
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5168
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
7e8ec9e1ec1b485a94cb9a64f30d2df7

SHA1
d2ea552ef675494823d73696cb9d2c7619354d63

SHA256
fed11e8a82f26c4b948f899999fb893ff6dc53863dda9727848d3ff858130acb

SHA512
46794baeac93a336fb9d4ddc8b5242b2ba49d7dac507d05599949c44f5cea872bd5113660daebf328c7b98389a5b3588920da88a3359e5e8bc439c4001ee1aa2

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
1663a15fa9d5bed6cb9d344c8d6c2086

SHA1
947f8a857b0a0a686c19e869b3ac2098c4b571e4

SHA256
75ee45906febc2fa0ab47e515a479aa8c487b07a3212be6e878ae0b2a74f9e2a

SHA512
1eed3b2de9f008a6980ca11385f22178c3a68aeb26ef911a45dc693c46c90ec46e2658a8537b5aeba0707de9b79048cc180fc9608b35687d316b2b7cbb73d1bb

Download Submit
memory/384-2173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/396-1235-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/448-1550-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/552-1841-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/632-803-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/632-1791-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/940-1234-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/948-1551-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1268-1409-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1600-1799-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1700-1790-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-1937-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1760-1789-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1784-2075-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-1802-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2096-1004-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2116-2452-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2140-1082-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2232-2283-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-1967-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2368-68-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2368-63-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2680-2741-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2836-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2836-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2836-30-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2880-5055-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2980-2431-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3000-2750-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3000-2754-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-1236-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3040-1788-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3088-5074-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3140-1410-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3144-3635-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3144-3513-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-2146-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-1956-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3232-2460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3244-1842-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3324-1891-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3324-1894-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3480-2295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3668-1720-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3684-3664-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3788-2562-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3788-2714-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3844-2921-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3932-2928-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4144-1552-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4160-2305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4196-67-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4196-802-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4220-2570-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4296-4687-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4380-1549-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4384-3218-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4412-1083-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4500-2164-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-1005-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4536-1848-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4552-32-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4552-0-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/4552-28-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/4552-26-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4564-3302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4616-4967-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4616-4963-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4644-2182-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4704-1800-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4784-3122-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4784-2994-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4796-4850-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-1892-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4892-1006-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4948-4500-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-1840-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5096-2862-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5096-2733-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5132-4205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5132-4092-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5236-5203-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5264-3897-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5264-3992-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5440-4975-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5584-4861-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5692-4840-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5700-4841-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5700-4944-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5808-4805-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5808-4676-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5852-4573-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5852-4445-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5908-4227-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5980-4880-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6004-4235-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6104-4066-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download