pony | 53e6397b97777572011df93caf02d5d3801929bf1274e37403b4ead8c06ddec7

Analysis

max time kernel
131s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe
Size

2.2MB
MD5

44eee15729ef471c7ba797e140530ac6
SHA1

614bcb4f7b288511ffeb890ceaaef6c7d59c0cfb
SHA256

53e6397b97777572011df93caf02d5d3801929bf1274e37403b4ead8c06ddec7
SHA512

b1c6c866fe14356483634ead03580ba10e520d04de744ecec5c9ca587f1c64156abb18e775ba5d20fea6f9807a2632432961191e94ccea951fe7b35a6ca9afb7
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZP:0UzeyQMS4DqodCnoe+iitjWwwj

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
2520	explorer.exe
2360	explorer.exe
1432	spoolsv.exe
1856	spoolsv.exe
4208	spoolsv.exe
1696	spoolsv.exe
4620	spoolsv.exe
1176	spoolsv.exe
4852	spoolsv.exe
2192	spoolsv.exe
436	spoolsv.exe
4360	spoolsv.exe
2004	spoolsv.exe
4476	spoolsv.exe
2196	spoolsv.exe
1720	spoolsv.exe
2096	spoolsv.exe
1020	spoolsv.exe
1084	spoolsv.exe
2152	spoolsv.exe
432	spoolsv.exe
1572	spoolsv.exe
4860	spoolsv.exe
1080	spoolsv.exe
4932	spoolsv.exe
1804	spoolsv.exe
2112	spoolsv.exe
1592	spoolsv.exe
1992	spoolsv.exe
1628	spoolsv.exe
4856	spoolsv.exe
5008	spoolsv.exe
3084	explorer.exe
4144	spoolsv.exe
4440	spoolsv.exe
1824	spoolsv.exe
4484	spoolsv.exe
3968	explorer.exe
2104	spoolsv.exe
3240	spoolsv.exe
4768	spoolsv.exe
3788	spoolsv.exe
5108	spoolsv.exe
5068	explorer.exe
2308	spoolsv.exe
4568	spoolsv.exe
4656	spoolsv.exe
3208	spoolsv.exe
4780	explorer.exe
3576	spoolsv.exe
1088	spoolsv.exe
3808	spoolsv.exe
656	spoolsv.exe
1012	spoolsv.exe
3004	spoolsv.exe
4332	explorer.exe
2100	spoolsv.exe
1060	spoolsv.exe
2916	spoolsv.exe
4444	spoolsv.exe
4988	explorer.exe
1320	spoolsv.exe
5084	spoolsv.exe
2944	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 40 IoCs

description	pid	Process	procid_target
PID 3912 set thread context of 1240	3912	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe	89
PID 2520 set thread context of 2360	2520	explorer.exe	94
PID 1432 set thread context of 5008	1432	spoolsv.exe	124
PID 1856 set thread context of 4144	1856	spoolsv.exe	126
PID 4208 set thread context of 4440	4208	spoolsv.exe	127
PID 1696 set thread context of 4484	1696	spoolsv.exe	129
PID 4620 set thread context of 2104	4620	spoolsv.exe	131
PID 1176 set thread context of 3240	1176	spoolsv.exe	132
PID 4852 set thread context of 4768	4852	spoolsv.exe	133
PID 2192 set thread context of 5108	2192	spoolsv.exe	135
PID 436 set thread context of 2308	436	spoolsv.exe	137
PID 4360 set thread context of 4568	4360	spoolsv.exe	138
PID 2004 set thread context of 3208	2004	spoolsv.exe	140
PID 4476 set thread context of 3576	4476	spoolsv.exe	142
PID 2196 set thread context of 1088	2196	spoolsv.exe	143
PID 1720 set thread context of 3808	1720	spoolsv.exe	144
PID 2096 set thread context of 1012	2096	spoolsv.exe	146
PID 1020 set thread context of 3004	1020	spoolsv.exe	147
PID 1084 set thread context of 2100	1084	spoolsv.exe	149
PID 2152 set thread context of 2916	2152	spoolsv.exe	151
PID 432 set thread context of 4444	432	spoolsv.exe	152
PID 1572 set thread context of 1320	1572	spoolsv.exe	154
PID 4860 set thread context of 5084	4860	spoolsv.exe	155
PID 1080 set thread context of 3060	1080	spoolsv.exe	157
PID 4932 set thread context of 4168	4932	spoolsv.exe	158
PID 1804 set thread context of 836	1804	spoolsv.exe	159
PID 2112 set thread context of 4928	2112	spoolsv.exe	161
PID 1592 set thread context of 4812	1592	spoolsv.exe	163
PID 1992 set thread context of 3108	1992	spoolsv.exe	176
PID 1628 set thread context of 4464	1628	spoolsv.exe	166
PID 4856 set thread context of 5064	4856	spoolsv.exe	170
PID 3084 set thread context of 1396	3084	explorer.exe	172
PID 3968 set thread context of 3108	3968	explorer.exe	176
PID 1824 set thread context of 3212	1824	spoolsv.exe	177
PID 3788 set thread context of 4912	3788	spoolsv.exe	181
PID 5068 set thread context of 1732	5068	explorer.exe	184
PID 4656 set thread context of 3584	4656	spoolsv.exe	188
PID 4780 set thread context of 5104	4780	explorer.exe	190
PID 656 set thread context of 2036	656	spoolsv.exe	192
PID 4332 set thread context of 3748	4332	explorer.exe	195

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1240	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe
1240	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2360	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1240	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe
1240	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
2360	explorer.exe
5008	spoolsv.exe
5008	spoolsv.exe
4144	spoolsv.exe
4144	spoolsv.exe
4440	spoolsv.exe
4440	spoolsv.exe
4484	spoolsv.exe
4484	spoolsv.exe
2104	spoolsv.exe
2104	spoolsv.exe
3240	spoolsv.exe
3240	spoolsv.exe
4768	spoolsv.exe
4768	spoolsv.exe
5108	spoolsv.exe
5108	spoolsv.exe
2308	spoolsv.exe
2308	spoolsv.exe
4568	spoolsv.exe
4568	spoolsv.exe
3208	spoolsv.exe
3208	spoolsv.exe
3576	spoolsv.exe
3576	spoolsv.exe
1088	spoolsv.exe
1088	spoolsv.exe
3808	spoolsv.exe
3808	spoolsv.exe
1012	spoolsv.exe
1012	spoolsv.exe
3004	spoolsv.exe
3004	spoolsv.exe
2100	spoolsv.exe
2100	spoolsv.exe
2916	spoolsv.exe
2916	spoolsv.exe
4444	spoolsv.exe
4444	spoolsv.exe
1320	spoolsv.exe
1320	spoolsv.exe
5084	spoolsv.exe
5084	spoolsv.exe
3060	spoolsv.exe
3060	spoolsv.exe
4168	spoolsv.exe
4168	spoolsv.exe
836	spoolsv.exe
836	spoolsv.exe
4928	spoolsv.exe
4928	spoolsv.exe
4812	spoolsv.exe
4812	spoolsv.exe
3108	spoolsv.exe
3108	spoolsv.exe
4464	spoolsv.exe
4464	spoolsv.exe
5064	spoolsv.exe
5064	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 2216	3912	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe	81
PID 3912 wrote to memory of 2216	3912	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe	81
PID 3912 wrote to memory of 1240	3912	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe	89
PID 3912 wrote to memory of 1240	3912	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe	89
PID 3912 wrote to memory of 1240	3912	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe	89
PID 3912 wrote to memory of 1240	3912	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe	89
PID 3912 wrote to memory of 1240	3912	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe	89
PID 1240 wrote to memory of 2520	1240	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe	90
PID 1240 wrote to memory of 2520	1240	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe	90
PID 1240 wrote to memory of 2520	1240	44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe	90
PID 2520 wrote to memory of 2360	2520	explorer.exe	94
PID 2520 wrote to memory of 2360	2520	explorer.exe	94
PID 2520 wrote to memory of 2360	2520	explorer.exe	94
PID 2520 wrote to memory of 2360	2520	explorer.exe	94
PID 2520 wrote to memory of 2360	2520	explorer.exe	94
PID 2360 wrote to memory of 1432	2360	explorer.exe	95
PID 2360 wrote to memory of 1432	2360	explorer.exe	95
PID 2360 wrote to memory of 1432	2360	explorer.exe	95
PID 2360 wrote to memory of 1856	2360	explorer.exe	96
PID 2360 wrote to memory of 1856	2360	explorer.exe	96
PID 2360 wrote to memory of 1856	2360	explorer.exe	96
PID 2360 wrote to memory of 4208	2360	explorer.exe	97
PID 2360 wrote to memory of 4208	2360	explorer.exe	97
PID 2360 wrote to memory of 4208	2360	explorer.exe	97
PID 2360 wrote to memory of 1696	2360	explorer.exe	98
PID 2360 wrote to memory of 1696	2360	explorer.exe	98
PID 2360 wrote to memory of 1696	2360	explorer.exe	98
PID 2360 wrote to memory of 4620	2360	explorer.exe	99
PID 2360 wrote to memory of 4620	2360	explorer.exe	99
PID 2360 wrote to memory of 4620	2360	explorer.exe	99
PID 2360 wrote to memory of 1176	2360	explorer.exe	100
PID 2360 wrote to memory of 1176	2360	explorer.exe	100
PID 2360 wrote to memory of 1176	2360	explorer.exe	100
PID 2360 wrote to memory of 4852	2360	explorer.exe	101
PID 2360 wrote to memory of 4852	2360	explorer.exe	101
PID 2360 wrote to memory of 4852	2360	explorer.exe	101
PID 2360 wrote to memory of 2192	2360	explorer.exe	102
PID 2360 wrote to memory of 2192	2360	explorer.exe	102
PID 2360 wrote to memory of 2192	2360	explorer.exe	102
PID 2360 wrote to memory of 436	2360	explorer.exe	103
PID 2360 wrote to memory of 436	2360	explorer.exe	103
PID 2360 wrote to memory of 436	2360	explorer.exe	103
PID 2360 wrote to memory of 4360	2360	explorer.exe	104
PID 2360 wrote to memory of 4360	2360	explorer.exe	104
PID 2360 wrote to memory of 4360	2360	explorer.exe	104
PID 2360 wrote to memory of 2004	2360	explorer.exe	105
PID 2360 wrote to memory of 2004	2360	explorer.exe	105
PID 2360 wrote to memory of 2004	2360	explorer.exe	105
PID 2360 wrote to memory of 4476	2360	explorer.exe	106
PID 2360 wrote to memory of 4476	2360	explorer.exe	106
PID 2360 wrote to memory of 4476	2360	explorer.exe	106
PID 2360 wrote to memory of 2196	2360	explorer.exe	107
PID 2360 wrote to memory of 2196	2360	explorer.exe	107
PID 2360 wrote to memory of 2196	2360	explorer.exe	107
PID 2360 wrote to memory of 1720	2360	explorer.exe	108
PID 2360 wrote to memory of 1720	2360	explorer.exe	108
PID 2360 wrote to memory of 1720	2360	explorer.exe	108
PID 2360 wrote to memory of 2096	2360	explorer.exe	109
PID 2360 wrote to memory of 2096	2360	explorer.exe	109
PID 2360 wrote to memory of 2096	2360	explorer.exe	109
PID 2360 wrote to memory of 1020	2360	explorer.exe	110
PID 2360 wrote to memory of 1020	2360	explorer.exe	110
PID 2360 wrote to memory of 1020	2360	explorer.exe	110
PID 2360 wrote to memory of 1084	2360	explorer.exe	111

C:\Users\Admin\AppData\Local\Temp\44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2216
- C:\Users\Admin\AppData\Local\Temp\44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\44eee15729ef471c7ba797e140530ac6_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1240
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1432
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5008
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3084
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1856
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4208
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1696
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4484
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3968
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4620
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1176
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4852
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2192
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5108
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5068
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:436
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4360
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2004
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3208
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4780
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4476
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2196
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1720
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2096
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1020
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3004
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4332
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2152
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:432
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4444
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4988
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1572
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4860
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1080
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4932
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1804
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2112
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4928
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3996
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1592
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1992
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1628
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4464
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:884
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4856
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4564
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1824
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3212
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1068
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3788
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4912
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4656
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3584
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:656
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2036
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1060
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4828
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2944
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3696
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3932
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2716
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4468
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3720
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3916
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3364
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2228
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1612
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4328
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4280
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2172
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3712
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1944
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
8c9321ae8a9ee23b3c7d31654da5c12b

SHA1
6d0c3b0dcc0570f9d5160f3bbdb6d37edbc0c329

SHA256
84f2f80efac5fc6740ea16845417781f31c9f8f4174641ee581a7a62fba70a7e

SHA512
0b75d383e3105ecab25fd9465f17cb83be443cdb42d35c98d2003d2b150daa509d55e55cbe85587e200d2156548ef631bfbbcb7a47ed7f2233a3a36e8b794bd5

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
237fda4e162f1969ced6a0b47964470f

SHA1
4bfe409a18b2695cb56be25636dff7b3b4fef646

SHA256
c2c61fc543ae711eeec0ee3cc3b495be9a25f2c73d01af24fa8ad7ee795a7dac

SHA512
0ae1b2ae9ac231c53c8b11c200f3890fea7693940fef1092f81ffe2659f2a1f6d90a90c8820e7bb5b6301f5650848c6e5ca0897842f0b20a0eeb5e1f7f942323

Download Submit
memory/432-1846-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/436-1248-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/836-2739-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1012-2385-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1020-1697-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1080-1973-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1084-1835-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1088-2309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1176-1060-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1240-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1240-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1240-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1256-4761-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1320-2618-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1320-2614-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1396-3248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1432-751-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1432-1830-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1468-4865-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1572-1847-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1696-1058-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1696-1971-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1704-4602-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1720-1562-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1732-3795-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1732-3799-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1856-926-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1856-1849-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1888-5201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1944-5344-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2004-1412-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2036-4162-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-1696-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2100-5025-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-5021-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-2463-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-2460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-1982-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2152-1837-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2192-1247-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2196-1561-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2228-5015-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2228-5168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2308-2146-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-750-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2360-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2504-5008-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2520-74-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2520-69-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2716-4758-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2716-4947-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2916-2526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2940-4836-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-2586-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-2451-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3060-2721-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3108-3500-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-2291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-3507-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-3625-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3240-1992-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3408-4887-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3556-5208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3556-5212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3576-2301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3584-4028-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3696-4726-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3748-4263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3808-2320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3912-33-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3912-37-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3912-31-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3912-0-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4144-1848-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4144-1850-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4168-2730-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4208-1861-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4208-927-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4280-5190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-1411-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4440-1859-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4440-1862-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4444-2606-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4444-2799-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-3154-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-3040-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4476-1560-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4484-2084-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4484-1974-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4568-2155-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4620-1059-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4768-2004-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4812-2915-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4828-4525-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4828-4407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4852-1246-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4860-1858-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4912-3720-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4928-2907-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5008-1838-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5008-1955-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-3239-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5064-3356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5104-4048-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-2139-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5108-2271-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download