Analysis

  • max time kernel
    145s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-09-2024 17:03

General

  • Target

    5bd6db071fdb1fe9610f5a24eb6216dc0f052f4961001e57042a6760af48e9fa.exe

  • Size

    2.2MB

  • MD5

    e71febfc00b698ca0cd033ba72054bb3

  • SHA1

    7c899d12f6904d232e96183d4d02cd0b57ccf20c

  • SHA256

    5bd6db071fdb1fe9610f5a24eb6216dc0f052f4961001e57042a6760af48e9fa

  • SHA512

    ec864929135dcd2e72554d5bd5bf2d85ecf03c144789f5ffc95a4fcf823663a64ccef0ce5b32029d54de1a53af3ef9a1208252c1a2a21d11b92e2ed196d0a0f8

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZJ:0UzeyQMS4DqodCnoe+iitjWwwF

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 53 IoCs
  • Drops file in Windows directory 57 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bd6db071fdb1fe9610f5a24eb6216dc0f052f4961001e57042a6760af48e9fa.exe
    "C:\Users\Admin\AppData\Local\Temp\5bd6db071fdb1fe9610f5a24eb6216dc0f052f4961001e57042a6760af48e9fa.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1596
      • C:\Users\Admin\AppData\Local\Temp\5bd6db071fdb1fe9610f5a24eb6216dc0f052f4961001e57042a6760af48e9fa.exe
        "C:\Users\Admin\AppData\Local\Temp\5bd6db071fdb1fe9610f5a24eb6216dc0f052f4961001e57042a6760af48e9fa.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2880
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:2688
          • \??\c:\windows\system\explorer.exe
            "c:\windows\system\explorer.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2756
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2932
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2808
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2740
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2764
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2712
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2276
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2116
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:944
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2260
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2544
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2380
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  PID:964
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2800
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1848
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1620
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2016
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2532
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3200
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                    PID:3268
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:2088
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:3628
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:2184
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:3444
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:2208
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:3868
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:288
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:3600
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:1452
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:4080
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:2872
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:3812
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:1448
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:1676
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:3000
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:3960
                  • \??\c:\windows\system\explorer.exe
                    c:\windows\system\explorer.exe
                    7⤵
                    • System Location Discovery: System Language Discovery
                    PID:4068
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:1460
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:3608
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:316
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:1624
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:2008
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:3592
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:1564
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:1816
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:2852
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:3056
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:1652
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:3460
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:1868
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:3244
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:1228
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:3624
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:1820
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:2052
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:844
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:3776
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:1580
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:3484
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:340
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:1968
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:2108
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                    PID:2096
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  PID:1504
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    PID:1740
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:2012
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                      PID:3016
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    PID:1428
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:3036
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    PID:2732
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      PID:3824
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    PID:2980
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                        PID:1300
                    • \??\c:\windows\system\spoolsv.exe
                      c:\windows\system\spoolsv.exe SE
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      PID:2360
                      • \??\c:\windows\system\spoolsv.exe
                        "c:\windows\system\spoolsv.exe"
                        6⤵
                          PID:1692
                      • \??\c:\windows\system\spoolsv.exe
                        c:\windows\system\spoolsv.exe SE
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        PID:2064
                        • \??\c:\windows\system\spoolsv.exe
                          "c:\windows\system\spoolsv.exe"
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of SetWindowsHookEx
                          PID:3100
                          • \??\c:\windows\system\explorer.exe
                            c:\windows\system\explorer.exe
                            7⤵
                            • System Location Discovery: System Language Discovery
                            PID:2136
                      • \??\c:\windows\system\spoolsv.exe
                        c:\windows\system\spoolsv.exe SE
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        PID:2908
                        • \??\c:\windows\system\spoolsv.exe
                          "c:\windows\system\spoolsv.exe"
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:3952
                      • \??\c:\windows\system\spoolsv.exe
                        c:\windows\system\spoolsv.exe SE
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Drops file in Windows directory
                        PID:1932
                        • \??\c:\windows\system\spoolsv.exe
                          "c:\windows\system\spoolsv.exe"
                          6⤵
                            PID:3112
                        • \??\c:\windows\system\spoolsv.exe
                          c:\windows\system\spoolsv.exe SE
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Drops file in Windows directory
                          PID:1124
                          • \??\c:\windows\system\spoolsv.exe
                            "c:\windows\system\spoolsv.exe"
                            6⤵
                              PID:900
                          • \??\c:\windows\system\spoolsv.exe
                            c:\windows\system\spoolsv.exe SE
                            5⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • Drops file in Windows directory
                            • System Location Discovery: System Language Discovery
                            PID:888
                            • \??\c:\windows\system\spoolsv.exe
                              "c:\windows\system\spoolsv.exe"
                              6⤵
                                PID:1084
                            • \??\c:\windows\system\spoolsv.exe
                              c:\windows\system\spoolsv.exe SE
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Drops file in Windows directory
                              PID:2072
                              • \??\c:\windows\system\spoolsv.exe
                                "c:\windows\system\spoolsv.exe"
                                6⤵
                                  PID:3816
                              • \??\c:\windows\system\spoolsv.exe
                                c:\windows\system\spoolsv.exe SE
                                5⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • Drops file in Windows directory
                                PID:1648
                                • \??\c:\windows\system\spoolsv.exe
                                  "c:\windows\system\spoolsv.exe"
                                  6⤵
                                    PID:2444
                                • \??\c:\windows\system\spoolsv.exe
                                  c:\windows\system\spoolsv.exe SE
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • Drops file in Windows directory
                                  PID:332
                                  • \??\c:\windows\system\spoolsv.exe
                                    "c:\windows\system\spoolsv.exe"
                                    6⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2724
                                • \??\c:\windows\system\spoolsv.exe
                                  c:\windows\system\spoolsv.exe SE
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • Drops file in Windows directory
                                  PID:2388
                                  • \??\c:\windows\system\spoolsv.exe
                                    "c:\windows\system\spoolsv.exe"
                                    6⤵
                                      PID:2804
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Drops file in Windows directory
                                    PID:1520
                                    • \??\c:\windows\system\spoolsv.exe
                                      "c:\windows\system\spoolsv.exe"
                                      6⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:784
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Drops file in Windows directory
                                    • System Location Discovery: System Language Discovery
                                    PID:1656
                                    • \??\c:\windows\system\spoolsv.exe
                                      "c:\windows\system\spoolsv.exe"
                                      6⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3648
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Drops file in Windows directory
                                    PID:2044
                                    • \??\c:\windows\system\spoolsv.exe
                                      "c:\windows\system\spoolsv.exe"
                                      6⤵
                                        PID:3936
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      • Drops file in Windows directory
                                      • System Location Discovery: System Language Discovery
                                      PID:1316
                                      • \??\c:\windows\system\spoolsv.exe
                                        "c:\windows\system\spoolsv.exe"
                                        6⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:3024
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      • Drops file in Windows directory
                                      • System Location Discovery: System Language Discovery
                                      PID:2440
                                      • \??\c:\windows\system\spoolsv.exe
                                        "c:\windows\system\spoolsv.exe"
                                        6⤵
                                          PID:4000
                                      • \??\c:\windows\system\spoolsv.exe
                                        c:\windows\system\spoolsv.exe SE
                                        5⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        • Drops file in Windows directory
                                        • System Location Discovery: System Language Discovery
                                        PID:3032
                                        • \??\c:\windows\system\spoolsv.exe
                                          "c:\windows\system\spoolsv.exe"
                                          6⤵
                                            PID:3748
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • Drops file in Windows directory
                                          • System Location Discovery: System Language Discovery
                                          PID:1748
                                          • \??\c:\windows\system\spoolsv.exe
                                            "c:\windows\system\spoolsv.exe"
                                            6⤵
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of SetWindowsHookEx
                                            PID:3240
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:2604
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                          • Executes dropped EXE
                                          • System Location Discovery: System Language Discovery
                                          PID:2792
                                        • \??\c:\windows\system\spoolsv.exe
                                          c:\windows\system\spoolsv.exe SE
                                          5⤵
                                            PID:3028
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:3732
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:3504
                                          • \??\c:\windows\system\spoolsv.exe
                                            c:\windows\system\spoolsv.exe SE
                                            5⤵
                                              PID:3860
                                            • \??\c:\windows\system\spoolsv.exe
                                              c:\windows\system\spoolsv.exe SE
                                              5⤵
                                                PID:3792
                                              • \??\c:\windows\system\spoolsv.exe
                                                c:\windows\system\spoolsv.exe SE
                                                5⤵
                                                  PID:3976
                                                • \??\c:\windows\system\spoolsv.exe
                                                  c:\windows\system\spoolsv.exe SE
                                                  5⤵
                                                    PID:3288
                                                  • \??\c:\windows\system\spoolsv.exe
                                                    c:\windows\system\spoolsv.exe SE
                                                    5⤵
                                                      PID:2560

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Windows\Parameters.ini

                                              Filesize

                                              74B

                                              MD5

                                              6687785d6a31cdf9a5f80acb3abc459b

                                              SHA1

                                              1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

                                              SHA256

                                              3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

                                              SHA512

                                              5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

                                            • C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD

                                              Filesize

                                              56KB

                                              MD5

                                              bd72dcf1083b6e22ccbfa0e8e27fb1e0

                                              SHA1

                                              3fd23d4f14da768da7b8364d74c54932d704e74e

                                              SHA256

                                              90f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1

                                              SHA512

                                              72360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562

                                            • \Windows\system\explorer.exe

                                              Filesize

                                              2.2MB

                                              MD5

                                              1a86c009acdcd0a5651d7e7b91e88c48

                                              SHA1

                                              4854953addc1346ef631d41f40e9baa96c82aa17

                                              SHA256

                                              2ed30643c1dbd238843d5ee6a342398f77b595bddc0c3232d7f0096d8cc7a6cd

                                              SHA512

                                              466aa9f42e09e108f3ecbe2224622ba183500ac7a3279d630efbe9e098c89442c011c9b7c914619af9fa0692aef80a52e3aab77bcacdca4a21248d356cfa554f

                                            • \Windows\system\spoolsv.exe

                                              Filesize

                                              2.2MB

                                              MD5

                                              a26870040d87ef8698838b09ccc65581

                                              SHA1

                                              fccd1647bc2486ffb7714ba184b355f6c07952a1

                                              SHA256

                                              f1b36e65aae86a758955c9ef52d694c5b3cf8cd5470334ac8e687806e8f1c7b9

                                              SHA512

                                              63fc554cf91809b0957cd9bd0d5d5ea479cae8506ddadc8f1d4df404c70a390bc22aed68e132e53d60381018651b50891d707885fa3433a3489790b6b379b689

                                            • memory/288-1592-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/316-1761-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/340-2050-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/844-1966-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/944-1049-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/1228-1886-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/1448-1676-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/1452-1593-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/1460-1678-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/1504-2133-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/1564-1763-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/1580-1967-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/1620-1332-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/1624-2536-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/1640-18-0x0000000000220000-0x0000000000221000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/1640-27-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/1640-0-0x0000000000220000-0x0000000000221000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/1640-17-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/1652-1823-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/1676-2620-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/1692-3009-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/1816-2580-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/1820-1887-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/1848-2278-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/1868-1824-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/1968-2722-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2008-1762-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2016-2345-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2088-1429-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2096-2848-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2108-2051-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2116-2248-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2184-1510-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2208-1511-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2276-963-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2380-2300-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2532-1335-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2544-1145-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2688-72-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2688-42-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2688-62-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2712-2211-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2724-3012-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2756-743-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2756-3187-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2764-962-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2800-1226-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2808-2287-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2808-2200-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2852-1822-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2872-1594-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/2880-24-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2880-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2880-51-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2880-20-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2880-28-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2880-31-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/2932-861-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/3000-1677-0x0000000000400000-0x00000000005D3000-memory.dmp

                                              Filesize

                                              1.8MB

                                            • memory/3024-2950-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3100-2798-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3200-2372-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3240-2560-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3244-2799-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3444-2407-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3460-2600-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3592-2681-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3600-2425-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3608-2639-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3648-2871-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3748-3026-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3748-3008-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3812-2462-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3868-2491-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3936-3010-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3952-2997-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3960-2514-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/3960-2754-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            • memory/4000-3007-0x0000000000400000-0x000000000043E000-memory.dmp

                                              Filesize

                                              248KB

                                            We care about your privacy.

                                            This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.