pony | ab479389ce28fb6d30f6b6c60346aed6aba5d32b6a5c2e41cb8e7a640d4a5c91

Analysis

max time kernel
123s
max time network
172s
platform
windows7_x64
resource
win7v20210410
submitted
13-07-2021 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pony_test001.exe
Size

2.6MB
MD5

ae95ec88d9b9ff869181e6fe2c60ca6f
SHA1

0f24a43b088b64d19f1bce99e80f80108005ad02
SHA256

ab479389ce28fb6d30f6b6c60346aed6aba5d32b6a5c2e41cb8e7a640d4a5c91
SHA512

626a2702c0c9ddfcea1af665d80673520002b00f1a3c190709671c878e83d86b71b71d8e281fb21b49ec5a8847b677bbd157e6a8962e601ad183c6c4be4bc994

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 15 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exe

pid	process
1832	explorer.exe
744	explorer.exe
1028	explorer.exe
1900	spoolsv.exe
1384	spoolsv.exe
1804	spoolsv.exe
1800	spoolsv.exe
800	spoolsv.exe
1972	spoolsv.exe
1356	spoolsv.exe
748	spoolsv.exe
1268	explorer.exe
544	spoolsv.exe
1788	explorer.exe
920	explorer.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 2 IoCs

Processes:

pony_test001.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pony_test001.exe	pony_test001.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pony_test001.exe	pony_test001.exe

Loads dropped DLL 17 IoCs

Processes:

pony_test001.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1104	pony_test001.exe
1104	pony_test001.exe
1028	explorer.exe
1028	explorer.exe
1900	spoolsv.exe
1028	explorer.exe
1028	explorer.exe
1804	spoolsv.exe
1028	explorer.exe
1028	explorer.exe
800	spoolsv.exe
1028	explorer.exe
1028	explorer.exe
1972	spoolsv.exe
1384	spoolsv.exe
1356	spoolsv.exe
1800	spoolsv.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 12 IoCs

Processes:

pony_test001.exepony_test001.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1032 set thread context of 2044	1032	pony_test001.exe	pony_test001.exe
PID 2044 set thread context of 1104	2044	pony_test001.exe	pony_test001.exe
PID 1832 set thread context of 744	1832	explorer.exe	explorer.exe
PID 744 set thread context of 1028	744	explorer.exe	explorer.exe
PID 1900 set thread context of 1384	1900	spoolsv.exe	spoolsv.exe
PID 1804 set thread context of 1800	1804	spoolsv.exe	spoolsv.exe
PID 800 set thread context of 1972	800	spoolsv.exe	spoolsv.exe
PID 1972 set thread context of 1356	1972	spoolsv.exe	spoolsv.exe
PID 1384 set thread context of 748	1384	spoolsv.exe	spoolsv.exe
PID 1800 set thread context of 544	1800	spoolsv.exe	spoolsv.exe
PID 1268 set thread context of 1788	1268	explorer.exe	explorer.exe
PID 1788 set thread context of 920	1788	explorer.exe	explorer.exe

Drops file in Windows directory 14 IoCs

Processes:

spoolsv.exeexplorer.exepony_test001.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exepony_test001.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	pony_test001.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	pony_test001.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

pony_test001.exeexplorer.exe

pid process

1104 pony_test001.exe
1028 explorer.exe
1028 explorer.exe
1028 explorer.exe
1028 explorer.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

pony_test001.exepony_test001.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exe

pid	process
1032	pony_test001.exe
1104	pony_test001.exe
1104	pony_test001.exe
1832	explorer.exe
1028	explorer.exe
1028	explorer.exe
1900	spoolsv.exe
1028	explorer.exe
1028	explorer.exe
1804	spoolsv.exe
800	spoolsv.exe
1356	spoolsv.exe
1356	spoolsv.exe
748	spoolsv.exe
544	spoolsv.exe
748	spoolsv.exe
1268	explorer.exe
544	spoolsv.exe
920	explorer.exe
920	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

pony_test001.exepony_test001.exepony_test001.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 1032 wrote to memory of 2044	1032	pony_test001.exe	pony_test001.exe
PID 1032 wrote to memory of 2044	1032	pony_test001.exe	pony_test001.exe
PID 1032 wrote to memory of 2044	1032	pony_test001.exe	pony_test001.exe
PID 1032 wrote to memory of 2044	1032	pony_test001.exe	pony_test001.exe
PID 1032 wrote to memory of 2044	1032	pony_test001.exe	pony_test001.exe
PID 1032 wrote to memory of 2044	1032	pony_test001.exe	pony_test001.exe
PID 1032 wrote to memory of 2044	1032	pony_test001.exe	pony_test001.exe
PID 1032 wrote to memory of 2044	1032	pony_test001.exe	pony_test001.exe
PID 1032 wrote to memory of 2044	1032	pony_test001.exe	pony_test001.exe
PID 1032 wrote to memory of 2044	1032	pony_test001.exe	pony_test001.exe
PID 1032 wrote to memory of 2044	1032	pony_test001.exe	pony_test001.exe
PID 1032 wrote to memory of 2044	1032	pony_test001.exe	pony_test001.exe
PID 1032 wrote to memory of 2044	1032	pony_test001.exe	pony_test001.exe
PID 1032 wrote to memory of 2044	1032	pony_test001.exe	pony_test001.exe
PID 2044 wrote to memory of 1964	2044	pony_test001.exe	splwow64.exe
PID 2044 wrote to memory of 1964	2044	pony_test001.exe	splwow64.exe
PID 2044 wrote to memory of 1964	2044	pony_test001.exe	splwow64.exe
PID 2044 wrote to memory of 1964	2044	pony_test001.exe	splwow64.exe
PID 2044 wrote to memory of 1104	2044	pony_test001.exe	pony_test001.exe
PID 2044 wrote to memory of 1104	2044	pony_test001.exe	pony_test001.exe
PID 2044 wrote to memory of 1104	2044	pony_test001.exe	pony_test001.exe
PID 2044 wrote to memory of 1104	2044	pony_test001.exe	pony_test001.exe
PID 2044 wrote to memory of 1104	2044	pony_test001.exe	pony_test001.exe
PID 2044 wrote to memory of 1104	2044	pony_test001.exe	pony_test001.exe
PID 1104 wrote to memory of 1832	1104	pony_test001.exe	explorer.exe
PID 1104 wrote to memory of 1832	1104	pony_test001.exe	explorer.exe
PID 1104 wrote to memory of 1832	1104	pony_test001.exe	explorer.exe
PID 1104 wrote to memory of 1832	1104	pony_test001.exe	explorer.exe
PID 1832 wrote to memory of 744	1832	explorer.exe	explorer.exe
PID 1832 wrote to memory of 744	1832	explorer.exe	explorer.exe
PID 1832 wrote to memory of 744	1832	explorer.exe	explorer.exe
PID 1832 wrote to memory of 744	1832	explorer.exe	explorer.exe
PID 1832 wrote to memory of 744	1832	explorer.exe	explorer.exe
PID 1832 wrote to memory of 744	1832	explorer.exe	explorer.exe
PID 1832 wrote to memory of 744	1832	explorer.exe	explorer.exe
PID 1832 wrote to memory of 744	1832	explorer.exe	explorer.exe
PID 1832 wrote to memory of 744	1832	explorer.exe	explorer.exe
PID 1832 wrote to memory of 744	1832	explorer.exe	explorer.exe
PID 1832 wrote to memory of 744	1832	explorer.exe	explorer.exe
PID 1832 wrote to memory of 744	1832	explorer.exe	explorer.exe
PID 1832 wrote to memory of 744	1832	explorer.exe	explorer.exe
PID 1832 wrote to memory of 744	1832	explorer.exe	explorer.exe
PID 744 wrote to memory of 1028	744	explorer.exe	explorer.exe
PID 744 wrote to memory of 1028	744	explorer.exe	explorer.exe
PID 744 wrote to memory of 1028	744	explorer.exe	explorer.exe
PID 744 wrote to memory of 1028	744	explorer.exe	explorer.exe
PID 744 wrote to memory of 1028	744	explorer.exe	explorer.exe
PID 744 wrote to memory of 1028	744	explorer.exe	explorer.exe
PID 1028 wrote to memory of 1900	1028	explorer.exe	spoolsv.exe
PID 1028 wrote to memory of 1900	1028	explorer.exe	spoolsv.exe
PID 1028 wrote to memory of 1900	1028	explorer.exe	spoolsv.exe
PID 1028 wrote to memory of 1900	1028	explorer.exe	spoolsv.exe
PID 1900 wrote to memory of 1384	1900	spoolsv.exe	spoolsv.exe
PID 1900 wrote to memory of 1384	1900	spoolsv.exe	spoolsv.exe
PID 1900 wrote to memory of 1384	1900	spoolsv.exe	spoolsv.exe
PID 1900 wrote to memory of 1384	1900	spoolsv.exe	spoolsv.exe
PID 1900 wrote to memory of 1384	1900	spoolsv.exe	spoolsv.exe
PID 1900 wrote to memory of 1384	1900	spoolsv.exe	spoolsv.exe
PID 1900 wrote to memory of 1384	1900	spoolsv.exe	spoolsv.exe
PID 1900 wrote to memory of 1384	1900	spoolsv.exe	spoolsv.exe
PID 1900 wrote to memory of 1384	1900	spoolsv.exe	spoolsv.exe
PID 1900 wrote to memory of 1384	1900	spoolsv.exe	spoolsv.exe
PID 1900 wrote to memory of 1384	1900	spoolsv.exe	spoolsv.exe
PID 1900 wrote to memory of 1384	1900	spoolsv.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\pony_test001.exe
"C:\Users\Admin\AppData\Local\Temp\pony_test001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\pony_test001.exe
"C:\Users\Admin\AppData\Local\Temp\pony_test001.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\pony_test001.exe
"C:\Users\Admin\AppData\Local\Temp\pony_test001.exe"
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:744

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1384

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1800

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1972

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1356

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1268

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1788

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1572

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\Parameters.ini
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system\explorer.exe
MD5
19abd846e3924e33371da579176ddbb3

SHA1
cfd0e828f3563234a1fc57dcdbc48542615b7a84

SHA256
c8d70d033372df1b8e9204d91941f21bd37ba503d235721fe817ca5032b836fc

SHA512
0df7d6ee0745c200e91b2b5fdf57d0a4554f01c8c9dc0a4232a12e4fbee8eb98f6770db298fc794b3e44159a41a770d160c4870ec514c2a44932d5c2a926b70d

Download Submit
C:\Windows\system\explorer.exe
MD5
19abd846e3924e33371da579176ddbb3

SHA1
cfd0e828f3563234a1fc57dcdbc48542615b7a84

SHA256
c8d70d033372df1b8e9204d91941f21bd37ba503d235721fe817ca5032b836fc

SHA512
0df7d6ee0745c200e91b2b5fdf57d0a4554f01c8c9dc0a4232a12e4fbee8eb98f6770db298fc794b3e44159a41a770d160c4870ec514c2a44932d5c2a926b70d

Download Submit
C:\Windows\system\explorer.exe
MD5
19abd846e3924e33371da579176ddbb3

SHA1
cfd0e828f3563234a1fc57dcdbc48542615b7a84

SHA256
c8d70d033372df1b8e9204d91941f21bd37ba503d235721fe817ca5032b836fc

SHA512
0df7d6ee0745c200e91b2b5fdf57d0a4554f01c8c9dc0a4232a12e4fbee8eb98f6770db298fc794b3e44159a41a770d160c4870ec514c2a44932d5c2a926b70d

Download Submit
C:\Windows\system\explorer.exe
MD5
19abd846e3924e33371da579176ddbb3

SHA1
cfd0e828f3563234a1fc57dcdbc48542615b7a84

SHA256
c8d70d033372df1b8e9204d91941f21bd37ba503d235721fe817ca5032b836fc

SHA512
0df7d6ee0745c200e91b2b5fdf57d0a4554f01c8c9dc0a4232a12e4fbee8eb98f6770db298fc794b3e44159a41a770d160c4870ec514c2a44932d5c2a926b70d

Download Submit
C:\Windows\system\explorer.exe
MD5
19abd846e3924e33371da579176ddbb3

SHA1
cfd0e828f3563234a1fc57dcdbc48542615b7a84

SHA256
c8d70d033372df1b8e9204d91941f21bd37ba503d235721fe817ca5032b836fc

SHA512
0df7d6ee0745c200e91b2b5fdf57d0a4554f01c8c9dc0a4232a12e4fbee8eb98f6770db298fc794b3e44159a41a770d160c4870ec514c2a44932d5c2a926b70d

Download Submit
C:\Windows\system\explorer.exe
MD5
19abd846e3924e33371da579176ddbb3

SHA1
cfd0e828f3563234a1fc57dcdbc48542615b7a84

SHA256
c8d70d033372df1b8e9204d91941f21bd37ba503d235721fe817ca5032b836fc

SHA512
0df7d6ee0745c200e91b2b5fdf57d0a4554f01c8c9dc0a4232a12e4fbee8eb98f6770db298fc794b3e44159a41a770d160c4870ec514c2a44932d5c2a926b70d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
C:\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
C:\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
C:\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
C:\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
C:\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
C:\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
C:\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
C:\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\??\c:\windows\system\explorer.exe
MD5
19abd846e3924e33371da579176ddbb3

SHA1
cfd0e828f3563234a1fc57dcdbc48542615b7a84

SHA256
c8d70d033372df1b8e9204d91941f21bd37ba503d235721fe817ca5032b836fc

SHA512
0df7d6ee0745c200e91b2b5fdf57d0a4554f01c8c9dc0a4232a12e4fbee8eb98f6770db298fc794b3e44159a41a770d160c4870ec514c2a44932d5c2a926b70d

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\Windows\system\explorer.exe
MD5
19abd846e3924e33371da579176ddbb3

SHA1
cfd0e828f3563234a1fc57dcdbc48542615b7a84

SHA256
c8d70d033372df1b8e9204d91941f21bd37ba503d235721fe817ca5032b836fc

SHA512
0df7d6ee0745c200e91b2b5fdf57d0a4554f01c8c9dc0a4232a12e4fbee8eb98f6770db298fc794b3e44159a41a770d160c4870ec514c2a44932d5c2a926b70d

Download Submit
\Windows\system\explorer.exe
MD5
19abd846e3924e33371da579176ddbb3

SHA1
cfd0e828f3563234a1fc57dcdbc48542615b7a84

SHA256
c8d70d033372df1b8e9204d91941f21bd37ba503d235721fe817ca5032b836fc

SHA512
0df7d6ee0745c200e91b2b5fdf57d0a4554f01c8c9dc0a4232a12e4fbee8eb98f6770db298fc794b3e44159a41a770d160c4870ec514c2a44932d5c2a926b70d

Download Submit
\Windows\system\explorer.exe
MD5
19abd846e3924e33371da579176ddbb3

SHA1
cfd0e828f3563234a1fc57dcdbc48542615b7a84

SHA256
c8d70d033372df1b8e9204d91941f21bd37ba503d235721fe817ca5032b836fc

SHA512
0df7d6ee0745c200e91b2b5fdf57d0a4554f01c8c9dc0a4232a12e4fbee8eb98f6770db298fc794b3e44159a41a770d160c4870ec514c2a44932d5c2a926b70d

Download Submit
\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
\Windows\system\spoolsv.exe
MD5
3ef74461b2dc61d2b397d1d28cbc5dc2

SHA1
bb43ba6e8cc92bdf5a384abc1b7fca23c1b1be02

SHA256
edf389df39907d42b7d09270ff457f2708a2e379a722eecc82fe2ca3c159ab5c

SHA512
d7743559e2a2b13d327f8b47ae748c635d3f185ba581f2fece5440e046176d8727c0222feebb284945b30f1fb81f3795afcf88a64c9ea353361835f673ab55e1

Download Submit
memory/544-167-0x0000000000403670-mapping.dmp

Download
memory/744-87-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/744-83-0x000000000046D1F4-mapping.dmp

Download
memory/744-88-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/748-156-0x0000000000403670-mapping.dmp

Download
memory/800-124-0x0000000000000000-mapping.dmp

Download
memory/920-182-0x0000000000403670-mapping.dmp

Download
memory/1028-91-0x0000000000403670-mapping.dmp

Download
memory/1104-70-0x0000000000403670-mapping.dmp

Download
memory/1104-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1104-86-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1268-162-0x0000000000000000-mapping.dmp

Download
memory/1356-149-0x0000000000403670-mapping.dmp

Download
memory/1384-114-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1384-115-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1384-106-0x000000000046D1F4-mapping.dmp

Download
memory/1572-135-0x0000000000000000-mapping.dmp

Download
memory/1788-178-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1788-174-0x000000000046D1F4-mapping.dmp

Download
memory/1788-179-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1800-119-0x000000000046D1F4-mapping.dmp

Download
memory/1800-137-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1804-111-0x0000000000000000-mapping.dmp

Download
memory/1832-77-0x0000000000000000-mapping.dmp

Download
memory/1900-99-0x0000000000000000-mapping.dmp

Download
memory/1964-66-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download
memory/1964-65-0x0000000000000000-mapping.dmp

Download
memory/1972-141-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1972-130-0x000000000046D1F4-mapping.dmp

Download
memory/2044-67-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2044-68-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2044-64-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/2044-63-0x000000000046D1F4-mapping.dmp

Download
memory/2044-62-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads