pony | e5712610af22299b22a75c4e4000e266f6b58bd0334dade6f666574e1054d605

Analysis

max time kernel
116s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe
Size

2.2MB
MD5

a6ec7fb68787c2147a4e951e19d3ba41
SHA1

9844321e0bf3fad5ec9b99191d16bc019dfa18f4
SHA256

e5712610af22299b22a75c4e4000e266f6b58bd0334dade6f666574e1054d605
SHA512

764459715c00113905470b7ea3fcda1dddcaf1cfb6f01eae05b308a524b9fc57afff58b5d39e1fb7edebba8da701fd13d329d5a323e297f6f071f183cc74bacb
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZq:0UzeyQMS4DqodCnoe+iitjWwwW

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe

Executes dropped EXE 22 IoCs

pid	Process
1260	explorer.exe
2228	explorer.exe
3600	spoolsv.exe
1152	spoolsv.exe
440	spoolsv.exe
2140	spoolsv.exe
4180	spoolsv.exe
5036	spoolsv.exe
1308	spoolsv.exe
1468	spoolsv.exe
3464	spoolsv.exe
3312	spoolsv.exe
3968	spoolsv.exe
8	spoolsv.exe
2440	spoolsv.exe
4468	spoolsv.exe
1048	explorer.exe
4828	spoolsv.exe
912	spoolsv.exe
3584	explorer.exe
2324	spoolsv.exe
2360	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 372 set thread context of 4632	372	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe	102
PID 1260 set thread context of 2228	1260	explorer.exe	105
PID 3600 set thread context of 4468	3600	spoolsv.exe	119
PID 1152 set thread context of 912	1152	spoolsv.exe	122

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4632	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe
4632	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4632	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe
4632	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
2228	explorer.exe
4468	spoolsv.exe
4468	spoolsv.exe
912	spoolsv.exe
912	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 392	372	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe	91
PID 372 wrote to memory of 392	372	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe	91
PID 372 wrote to memory of 4632	372	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe	102
PID 372 wrote to memory of 4632	372	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe	102
PID 372 wrote to memory of 4632	372	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe	102
PID 372 wrote to memory of 4632	372	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe	102
PID 372 wrote to memory of 4632	372	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe	102
PID 4632 wrote to memory of 1260	4632	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe	103
PID 4632 wrote to memory of 1260	4632	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe	103
PID 4632 wrote to memory of 1260	4632	a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe	103
PID 1260 wrote to memory of 2228	1260	explorer.exe	105
PID 1260 wrote to memory of 2228	1260	explorer.exe	105
PID 1260 wrote to memory of 2228	1260	explorer.exe	105
PID 1260 wrote to memory of 2228	1260	explorer.exe	105
PID 1260 wrote to memory of 2228	1260	explorer.exe	105
PID 2228 wrote to memory of 3600	2228	explorer.exe	106
PID 2228 wrote to memory of 3600	2228	explorer.exe	106
PID 2228 wrote to memory of 3600	2228	explorer.exe	106
PID 2228 wrote to memory of 1152	2228	explorer.exe	107
PID 2228 wrote to memory of 1152	2228	explorer.exe	107
PID 2228 wrote to memory of 1152	2228	explorer.exe	107
PID 2228 wrote to memory of 440	2228	explorer.exe	108
PID 2228 wrote to memory of 440	2228	explorer.exe	108
PID 2228 wrote to memory of 440	2228	explorer.exe	108
PID 2228 wrote to memory of 2140	2228	explorer.exe	109
PID 2228 wrote to memory of 2140	2228	explorer.exe	109
PID 2228 wrote to memory of 2140	2228	explorer.exe	109
PID 2228 wrote to memory of 4180	2228	explorer.exe	110
PID 2228 wrote to memory of 4180	2228	explorer.exe	110
PID 2228 wrote to memory of 4180	2228	explorer.exe	110
PID 2228 wrote to memory of 5036	2228	explorer.exe	111
PID 2228 wrote to memory of 5036	2228	explorer.exe	111
PID 2228 wrote to memory of 5036	2228	explorer.exe	111
PID 2228 wrote to memory of 1308	2228	explorer.exe	112
PID 2228 wrote to memory of 1308	2228	explorer.exe	112
PID 2228 wrote to memory of 1308	2228	explorer.exe	112
PID 2228 wrote to memory of 1468	2228	explorer.exe	113
PID 2228 wrote to memory of 1468	2228	explorer.exe	113
PID 2228 wrote to memory of 1468	2228	explorer.exe	113
PID 2228 wrote to memory of 3464	2228	explorer.exe	114
PID 2228 wrote to memory of 3464	2228	explorer.exe	114
PID 2228 wrote to memory of 3464	2228	explorer.exe	114
PID 2228 wrote to memory of 3312	2228	explorer.exe	115
PID 2228 wrote to memory of 3312	2228	explorer.exe	115
PID 2228 wrote to memory of 3312	2228	explorer.exe	115
PID 2228 wrote to memory of 3968	2228	explorer.exe	116
PID 2228 wrote to memory of 3968	2228	explorer.exe	116
PID 2228 wrote to memory of 3968	2228	explorer.exe	116
PID 2228 wrote to memory of 8	2228	explorer.exe	117
PID 2228 wrote to memory of 8	2228	explorer.exe	117
PID 2228 wrote to memory of 8	2228	explorer.exe	117
PID 2228 wrote to memory of 2440	2228	explorer.exe	118
PID 2228 wrote to memory of 2440	2228	explorer.exe	118
PID 2228 wrote to memory of 2440	2228	explorer.exe	118
PID 3600 wrote to memory of 4468	3600	spoolsv.exe	119
PID 3600 wrote to memory of 4468	3600	spoolsv.exe	119
PID 3600 wrote to memory of 4468	3600	spoolsv.exe	119
PID 3600 wrote to memory of 4468	3600	spoolsv.exe	119
PID 3600 wrote to memory of 4468	3600	spoolsv.exe	119
PID 4468 wrote to memory of 1048	4468	spoolsv.exe	120
PID 4468 wrote to memory of 1048	4468	spoolsv.exe	120
PID 4468 wrote to memory of 1048	4468	spoolsv.exe	120
PID 2228 wrote to memory of 4828	2228	explorer.exe	121
PID 2228 wrote to memory of 4828	2228	explorer.exe	121

C:\Users\Admin\AppData\Local\Temp\a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:372
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:392
- C:\Users\Admin\AppData\Local\Temp\a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a6ec7fb68787c2147a4e951e19d3ba41_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4632
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:3600
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1048
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:3144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1152
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:912
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3584
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:440
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:872
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:408
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2140
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4180
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4492
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4168
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:2340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5036
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4520
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1308
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1468
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4532
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3464
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2884
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3312
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3968
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4232
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:8
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2440
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4660
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:1600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4828
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2324
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2360
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3012
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3504
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1380
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4124
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4332 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
131da19fcc5da2cd161caa093bf884b2

SHA1
742e45ea09e141892e62c58eeda4c502627cd7f0

SHA256
a3c6e332ce27ed4bd4d746ede5bd90c16931c3cc9f51cea5182d8b674981846c

SHA512
bd8964bacfb697a2827d565e3b44855454ab100fab565600fe1b2763c270c79f1dbd2cb9a23f92e1f3101c9abb27242c0e76687705db8bce10854687d36d0c07

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
40168455a9ec44b29a8b73bb376ff98b

SHA1
e079769f2071c8484f0c0baa313fa3e180e72b76

SHA256
6cbb9d8a7db85850ec817a442c926d0a5d628e5579818d6653b2f1025694f41c

SHA512
3f3eacc9431696ef52a9f59d1ccf5d5a81d27e31c4183d162de34e1546eee954319844c6fba1e24fd89084c0f22c4da661290e295daf3738fdd1513fadd3b162

Download Submit
memory/8-1324-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/372-20-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/372-0-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/372-1-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/372-27-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/372-17-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/372-18-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/440-1239-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/440-500-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/456-2570-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/544-2301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/544-2305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/872-1313-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/872-1237-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/912-1012-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/912-1147-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1092-2326-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1152-1006-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1152-437-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1260-63-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1260-59-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1260-57-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1308-705-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1360-2494-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1360-2498-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1376-2422-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1468-722-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1848-2138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-2134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2140-559-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2140-1327-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2228-242-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2228-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2340-2508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2440-1381-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2728-2413-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-2041-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2884-1918-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2900-2044-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2900-2025-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3144-2293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-1011-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3464-845-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3504-2487-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3600-842-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3600-243-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3968-1236-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4180-635-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4180-1386-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4232-2125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4232-2266-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4388-1633-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4388-1651-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-847-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-990-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4492-1384-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4492-1529-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4520-1689-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4520-1549-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-1896-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4632-54-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4632-22-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4660-2283-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5012-1325-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5036-704-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5096-2400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download