pony | 7e075b6ce53029d2338b0c8fc521697724d4830593ff232d777cea29589c6854

Analysis

max time kernel
125s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe
Size

2.2MB
MD5

96b72cdd50703521a9c7f88dbcb45095
SHA1

346afa1ec7e1deb9807c593c107a3b6177a63277
SHA256

7e075b6ce53029d2338b0c8fc521697724d4830593ff232d777cea29589c6854
SHA512

59a327707be1519930e28732718ea6e7c9e818692472bf6fa2b3b2a0d9d442fc681af043a06fd48a13ee261df47947e6ad9d2db493b92b2ee2a5e18189eb36a3
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZx:0UzeyQMS4DqodCnoe+iitjWww9

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
1448	explorer.exe
1844	explorer.exe
1996	spoolsv.exe
2136	spoolsv.exe
4972	spoolsv.exe
228	spoolsv.exe
988	spoolsv.exe
2144	spoolsv.exe
2808	spoolsv.exe
5048	spoolsv.exe
4580	spoolsv.exe
1868	spoolsv.exe
4124	spoolsv.exe
4756	spoolsv.exe
936	spoolsv.exe
3400	spoolsv.exe
3132	spoolsv.exe
1984	spoolsv.exe
4960	spoolsv.exe
1416	spoolsv.exe
4812	spoolsv.exe
3848	spoolsv.exe
4776	spoolsv.exe
3148	spoolsv.exe
4588	spoolsv.exe
2968	spoolsv.exe
5208	spoolsv.exe
5532	spoolsv.exe
5840	spoolsv.exe
6124	spoolsv.exe
5396	spoolsv.exe
5480	spoolsv.exe
5512	explorer.exe
5624	spoolsv.exe
5872	spoolsv.exe
6052	spoolsv.exe
5132	spoolsv.exe
5200	spoolsv.exe
5320	spoolsv.exe
5788	spoolsv.exe
5864	explorer.exe
5804	spoolsv.exe
5980	spoolsv.exe
5700	spoolsv.exe
5276	spoolsv.exe
5528	spoolsv.exe
5684	explorer.exe
640	spoolsv.exe
6112	spoolsv.exe
5196	spoolsv.exe
4704	spoolsv.exe
2100	spoolsv.exe
5436	explorer.exe
4740	spoolsv.exe
1372	spoolsv.exe
5956	spoolsv.exe
1404	spoolsv.exe
5332	spoolsv.exe
5324	explorer.exe
5856	spoolsv.exe
4832	spoolsv.exe
6104	spoolsv.exe
2908	spoolsv.exe
3124	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 36 IoCs

description	pid	Process	procid_target
PID 464 set thread context of 964	464	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe	107
PID 1448 set thread context of 1844	1448	explorer.exe	111
PID 1996 set thread context of 5480	1996	spoolsv.exe	142
PID 2136 set thread context of 5624	2136	spoolsv.exe	144
PID 4972 set thread context of 5872	4972	spoolsv.exe	145
PID 228 set thread context of 5132	228	spoolsv.exe	147
PID 988 set thread context of 5200	988	spoolsv.exe	148
PID 2144 set thread context of 5320	2144	spoolsv.exe	149
PID 2808 set thread context of 5788	2808	spoolsv.exe	150
PID 5048 set thread context of 5804	5048	spoolsv.exe	152
PID 4580 set thread context of 5700	4580	spoolsv.exe	154
PID 1868 set thread context of 5276	1868	spoolsv.exe	155
PID 4124 set thread context of 5528	4124	spoolsv.exe	156
PID 4756 set thread context of 640	4756	spoolsv.exe	158
PID 936 set thread context of 5196	936	spoolsv.exe	160
PID 3400 set thread context of 4704	3400	spoolsv.exe	161
PID 1984 set thread context of 1372	1984	spoolsv.exe	165
PID 4960 set thread context of 5956	4960	spoolsv.exe	166
PID 1416 set thread context of 1404	1416	spoolsv.exe	168
PID 4812 set thread context of 5332	4812	spoolsv.exe	169
PID 3848 set thread context of 4832	3848	spoolsv.exe	172
PID 4776 set thread context of 6104	4776	spoolsv.exe	173
PID 3148 set thread context of 2908	3148	spoolsv.exe	174
PID 4588 set thread context of 3812	4588	spoolsv.exe	177
PID 2968 set thread context of 2248	2968	spoolsv.exe	178
PID 5208 set thread context of 6016	5208	spoolsv.exe	179
PID 5532 set thread context of 2620	5532	spoolsv.exe	180
PID 5840 set thread context of 5468	5840	spoolsv.exe	183
PID 6124 set thread context of 5508	6124	spoolsv.exe	184
PID 5396 set thread context of 4380	5396	spoolsv.exe	191
PID 5512 set thread context of 1584	5512	explorer.exe	197
PID 6052 set thread context of 3196	6052	spoolsv.exe	199
PID 5864 set thread context of 4764	5864	explorer.exe	204
PID 5980 set thread context of 2184	5980	spoolsv.exe	206
PID 5684 set thread context of 5204	5684	explorer.exe	212
PID 6112 set thread context of 5368	6112	spoolsv.exe	213

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
964	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe
964	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
964	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe
964	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
5480	spoolsv.exe
5480	spoolsv.exe
5624	spoolsv.exe
5624	spoolsv.exe
5872	spoolsv.exe
5872	spoolsv.exe
5132	spoolsv.exe
5132	spoolsv.exe
5200	spoolsv.exe
5200	spoolsv.exe
5320	spoolsv.exe
5320	spoolsv.exe
5788	spoolsv.exe
5788	spoolsv.exe
5804	spoolsv.exe
5804	spoolsv.exe
5700	spoolsv.exe
5700	spoolsv.exe
5276	spoolsv.exe
5276	spoolsv.exe
5528	spoolsv.exe
5528	spoolsv.exe
640	spoolsv.exe
640	spoolsv.exe
5196	spoolsv.exe
5196	spoolsv.exe
4704	spoolsv.exe
4704	spoolsv.exe
2100	spoolsv.exe
2100	spoolsv.exe
1372	spoolsv.exe
1372	spoolsv.exe
5956	spoolsv.exe
5956	spoolsv.exe
1404	spoolsv.exe
1404	spoolsv.exe
5332	spoolsv.exe
5332	spoolsv.exe
4832	spoolsv.exe
4832	spoolsv.exe
6104	spoolsv.exe
6104	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
3812	spoolsv.exe
3812	spoolsv.exe
2248	spoolsv.exe
2248	spoolsv.exe
6016	spoolsv.exe
6016	spoolsv.exe
2620	spoolsv.exe
2620	spoolsv.exe
5468	spoolsv.exe
5468	spoolsv.exe
5508	spoolsv.exe
5508	spoolsv.exe
4380	spoolsv.exe
4380	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 2348	464	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe	93
PID 464 wrote to memory of 2348	464	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe	93
PID 464 wrote to memory of 964	464	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe	107
PID 464 wrote to memory of 964	464	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe	107
PID 464 wrote to memory of 964	464	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe	107
PID 464 wrote to memory of 964	464	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe	107
PID 464 wrote to memory of 964	464	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe	107
PID 964 wrote to memory of 1448	964	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe	108
PID 964 wrote to memory of 1448	964	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe	108
PID 964 wrote to memory of 1448	964	96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe	108
PID 1448 wrote to memory of 1844	1448	explorer.exe	111
PID 1448 wrote to memory of 1844	1448	explorer.exe	111
PID 1448 wrote to memory of 1844	1448	explorer.exe	111
PID 1448 wrote to memory of 1844	1448	explorer.exe	111
PID 1448 wrote to memory of 1844	1448	explorer.exe	111
PID 1844 wrote to memory of 1996	1844	explorer.exe	112
PID 1844 wrote to memory of 1996	1844	explorer.exe	112
PID 1844 wrote to memory of 1996	1844	explorer.exe	112
PID 1844 wrote to memory of 2136	1844	explorer.exe	113
PID 1844 wrote to memory of 2136	1844	explorer.exe	113
PID 1844 wrote to memory of 2136	1844	explorer.exe	113
PID 1844 wrote to memory of 4972	1844	explorer.exe	114
PID 1844 wrote to memory of 4972	1844	explorer.exe	114
PID 1844 wrote to memory of 4972	1844	explorer.exe	114
PID 1844 wrote to memory of 228	1844	explorer.exe	115
PID 1844 wrote to memory of 228	1844	explorer.exe	115
PID 1844 wrote to memory of 228	1844	explorer.exe	115
PID 1844 wrote to memory of 988	1844	explorer.exe	116
PID 1844 wrote to memory of 988	1844	explorer.exe	116
PID 1844 wrote to memory of 988	1844	explorer.exe	116
PID 1844 wrote to memory of 2144	1844	explorer.exe	117
PID 1844 wrote to memory of 2144	1844	explorer.exe	117
PID 1844 wrote to memory of 2144	1844	explorer.exe	117
PID 1844 wrote to memory of 2808	1844	explorer.exe	118
PID 1844 wrote to memory of 2808	1844	explorer.exe	118
PID 1844 wrote to memory of 2808	1844	explorer.exe	118
PID 1844 wrote to memory of 5048	1844	explorer.exe	119
PID 1844 wrote to memory of 5048	1844	explorer.exe	119
PID 1844 wrote to memory of 5048	1844	explorer.exe	119
PID 1844 wrote to memory of 4580	1844	explorer.exe	120
PID 1844 wrote to memory of 4580	1844	explorer.exe	120
PID 1844 wrote to memory of 4580	1844	explorer.exe	120
PID 1844 wrote to memory of 1868	1844	explorer.exe	121
PID 1844 wrote to memory of 1868	1844	explorer.exe	121
PID 1844 wrote to memory of 1868	1844	explorer.exe	121
PID 1844 wrote to memory of 4124	1844	explorer.exe	122
PID 1844 wrote to memory of 4124	1844	explorer.exe	122
PID 1844 wrote to memory of 4124	1844	explorer.exe	122
PID 1844 wrote to memory of 4756	1844	explorer.exe	124
PID 1844 wrote to memory of 4756	1844	explorer.exe	124
PID 1844 wrote to memory of 4756	1844	explorer.exe	124
PID 1844 wrote to memory of 936	1844	explorer.exe	125
PID 1844 wrote to memory of 936	1844	explorer.exe	125
PID 1844 wrote to memory of 936	1844	explorer.exe	125
PID 1844 wrote to memory of 3400	1844	explorer.exe	126
PID 1844 wrote to memory of 3400	1844	explorer.exe	126
PID 1844 wrote to memory of 3400	1844	explorer.exe	126
PID 1844 wrote to memory of 3132	1844	explorer.exe	127
PID 1844 wrote to memory of 3132	1844	explorer.exe	127
PID 1844 wrote to memory of 3132	1844	explorer.exe	127
PID 1844 wrote to memory of 1984	1844	explorer.exe	128
PID 1844 wrote to memory of 1984	1844	explorer.exe	128
PID 1844 wrote to memory of 1984	1844	explorer.exe	128
PID 1844 wrote to memory of 4960	1844	explorer.exe	129

C:\Users\Admin\AppData\Local\Temp\96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:464
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\96b72cdd50703521a9c7f88dbcb45095_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:964
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1996
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5480
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5512
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2136
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4972
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:228
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:988
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2144
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2808
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5788
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5864
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5048
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4580
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1868
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4124
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5528
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5684
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4756
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:936
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3400
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3132
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5436
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1984
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4960
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1416
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4812
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5332
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5324
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3848
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4776
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3148
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3124
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:6040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4588
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2968
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5208
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5532
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2620
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:880
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5840
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:6124
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5508
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4752
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:5796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5396
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4380
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5292
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:6052
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3196
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:5500
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5980
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2184
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:6112
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5368
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4740
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5328
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5856
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5340
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5792
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5916
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:6088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3968
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2012
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5012
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3900
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5812
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3088
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5628
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4844
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1012
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3296
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3604
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4088
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:6064
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5520
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8
1⤵
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
cf8a7e7053c1c8129f938c8094eee489

SHA1
25273d5a71b2dd7bc8fbd1a2fff2b73bd51ba87c

SHA256
c2aa4051caa548af2ba17cc5c487526c8a828a0ecbb430b937b41d526804edc3

SHA512
5642115d409af6e7b18a059f9fadbcea4d31988bbb5eeeb8f26fb75c4e1be0ac4cf0e46a9ae8f02c7dd58c2982869e67df8896b5c8d4cdcf68dbdb298522ce4a

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
09cc6963465142fd9c49d0f08cb33d41

SHA1
68ec691c254ac561cec828b3ddfc7c9768313a56

SHA256
3702f682a729629ca55518ff6c89306ee89ba5407009658ab2fdaefbbe57f730

SHA512
aa979517c3e13850b90880cfdadf95018eee7b159366573232a19125d5adb9f4d715635ded8a6030c79373081dc42826e94f1a13245a20bf1119c58706c5b7e0

Download Submit
memory/228-967-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/228-1955-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/464-21-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/464-23-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/464-27-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/464-0-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/640-2253-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/936-1571-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/964-72-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/964-78-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/964-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/964-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/988-1083-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1372-2501-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1404-2522-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1416-1835-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1448-89-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1448-84-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1584-3677-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-823-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1844-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1868-1380-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1984-1766-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1996-1838-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1996-824-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2136-965-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2136-1851-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2144-1084-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2184-4069-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-4226-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-2900-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2312-5138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2588-5148-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2620-3116-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2620-2977-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2808-1245-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2908-2799-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2908-2970-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3132-1765-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3148-1953-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3196-3908-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3196-3774-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3400-1572-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3812-2892-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3848-1850-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3860-4622-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3936-5161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3944-4738-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4124-1381-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4380-3522-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4520-5046-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4580-1247-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4704-2352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4756-1382-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4764-3991-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4772-5259-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-1923-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4812-1836-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4960-1767-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4972-1935-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4972-966-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5012-5342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5012-5088-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5048-1246-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5132-1957-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5132-1954-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5196-2344-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5200-1965-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5204-4329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5276-2159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5276-2154-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5320-1975-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5328-4630-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5328-4719-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5332-2775-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5332-2637-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5340-4746-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5340-4904-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5368-4337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5368-4449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5468-3068-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5468-3064-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5480-2036-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5480-1837-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5508-3265-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5508-3153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5520-5351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5528-2398-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5584-5171-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5624-1847-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5700-2147-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5760-5266-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5760-5269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5788-2055-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5804-2067-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5804-2062-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5872-1924-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5916-5059-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5956-2512-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6040-4927-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6104-2724-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download