pony | 73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397

Analysis

max time kernel
116s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-09-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
Size

2.2MB
MD5

d9be2cd67652a5a56bb141fc8378ff50
SHA1

ba73c495a982a98f35fed09e57d61593e0474989
SHA256

73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397
SHA512

0d31b1158e4fa897bb3aedffa7bf1360098faff922c9ac8cd02a3056ddf42db74197e5832f9dcecc4ee59eddb42e7fc92ea7d39798b74d34e76505e9348c8a68
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZo:0UzeyQMS4DqodCnoe+iitjWww0

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe

Executes dropped EXE 32 IoCs

pid	Process
2128	explorer.exe
1156	explorer.exe
2032	spoolsv.exe
2344	spoolsv.exe
2772	spoolsv.exe
1592	spoolsv.exe
2172	spoolsv.exe
2300	spoolsv.exe
632	spoolsv.exe
3036	spoolsv.exe
468	spoolsv.exe
2692	spoolsv.exe
900	spoolsv.exe
2324	spoolsv.exe
2140	spoolsv.exe
2696	spoolsv.exe
2748	spoolsv.exe
2720	spoolsv.exe
2144	spoolsv.exe
792	spoolsv.exe
2532	spoolsv.exe
2292	spoolsv.exe
2880	spoolsv.exe
2972	spoolsv.exe
1744	spoolsv.exe
1804	spoolsv.exe
1596	spoolsv.exe
2848	spoolsv.exe
1580	spoolsv.exe
1708	spoolsv.exe
3052	spoolsv.exe
2920	spoolsv.exe

Loads dropped DLL 62 IoCs

pid	Process
2492	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
2492	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 2492	2748	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	31
PID 2128 set thread context of 1156	2128	explorer.exe	33

Drops file in Windows directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2492	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2492	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
2492	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe
1156	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2884	2748	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	30
PID 2748 wrote to memory of 2884	2748	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	30
PID 2748 wrote to memory of 2884	2748	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	30
PID 2748 wrote to memory of 2884	2748	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	30
PID 2748 wrote to memory of 2492	2748	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	31
PID 2748 wrote to memory of 2492	2748	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	31
PID 2748 wrote to memory of 2492	2748	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	31
PID 2748 wrote to memory of 2492	2748	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	31
PID 2748 wrote to memory of 2492	2748	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	31
PID 2748 wrote to memory of 2492	2748	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	31
PID 2492 wrote to memory of 2128	2492	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	32
PID 2492 wrote to memory of 2128	2492	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	32
PID 2492 wrote to memory of 2128	2492	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	32
PID 2492 wrote to memory of 2128	2492	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	32
PID 2128 wrote to memory of 1156	2128	explorer.exe	33
PID 2128 wrote to memory of 1156	2128	explorer.exe	33
PID 2128 wrote to memory of 1156	2128	explorer.exe	33
PID 2128 wrote to memory of 1156	2128	explorer.exe	33
PID 2128 wrote to memory of 1156	2128	explorer.exe	33
PID 2128 wrote to memory of 1156	2128	explorer.exe	33
PID 1156 wrote to memory of 2032	1156	explorer.exe	34
PID 1156 wrote to memory of 2032	1156	explorer.exe	34
PID 1156 wrote to memory of 2032	1156	explorer.exe	34
PID 1156 wrote to memory of 2032	1156	explorer.exe	34
PID 1156 wrote to memory of 2344	1156	explorer.exe	35
PID 1156 wrote to memory of 2344	1156	explorer.exe	35
PID 1156 wrote to memory of 2344	1156	explorer.exe	35
PID 1156 wrote to memory of 2344	1156	explorer.exe	35
PID 1156 wrote to memory of 2772	1156	explorer.exe	36
PID 1156 wrote to memory of 2772	1156	explorer.exe	36
PID 1156 wrote to memory of 2772	1156	explorer.exe	36
PID 1156 wrote to memory of 2772	1156	explorer.exe	36
PID 1156 wrote to memory of 1592	1156	explorer.exe	37
PID 1156 wrote to memory of 1592	1156	explorer.exe	37
PID 1156 wrote to memory of 1592	1156	explorer.exe	37
PID 1156 wrote to memory of 1592	1156	explorer.exe	37
PID 1156 wrote to memory of 2172	1156	explorer.exe	38
PID 1156 wrote to memory of 2172	1156	explorer.exe	38
PID 1156 wrote to memory of 2172	1156	explorer.exe	38
PID 1156 wrote to memory of 2172	1156	explorer.exe	38
PID 1156 wrote to memory of 2300	1156	explorer.exe	39
PID 1156 wrote to memory of 2300	1156	explorer.exe	39
PID 1156 wrote to memory of 2300	1156	explorer.exe	39
PID 1156 wrote to memory of 2300	1156	explorer.exe	39
PID 1156 wrote to memory of 632	1156	explorer.exe	40
PID 1156 wrote to memory of 632	1156	explorer.exe	40
PID 1156 wrote to memory of 632	1156	explorer.exe	40
PID 1156 wrote to memory of 632	1156	explorer.exe	40
PID 1156 wrote to memory of 3036	1156	explorer.exe	41
PID 1156 wrote to memory of 3036	1156	explorer.exe	41
PID 1156 wrote to memory of 3036	1156	explorer.exe	41
PID 1156 wrote to memory of 3036	1156	explorer.exe	41
PID 1156 wrote to memory of 468	1156	explorer.exe	42
PID 1156 wrote to memory of 468	1156	explorer.exe	42
PID 1156 wrote to memory of 468	1156	explorer.exe	42
PID 1156 wrote to memory of 468	1156	explorer.exe	42
PID 1156 wrote to memory of 2692	1156	explorer.exe	43
PID 1156 wrote to memory of 2692	1156	explorer.exe	43
PID 1156 wrote to memory of 2692	1156	explorer.exe	43
PID 1156 wrote to memory of 2692	1156	explorer.exe	43
PID 1156 wrote to memory of 900	1156	explorer.exe	44
PID 1156 wrote to memory of 900	1156	explorer.exe	44
PID 1156 wrote to memory of 900	1156	explorer.exe	44
PID 1156 wrote to memory of 900	1156	explorer.exe	44

C:\Users\Admin\AppData\Local\Temp\73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
"C:\Users\Admin\AppData\Local\Temp\73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
  "C:\Users\Admin\AppData\Local\Temp\73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2492
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2032
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1492
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2344
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2772
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1592
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2172
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2300
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:632
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3204
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:3328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
\Windows\system\explorer.exe

Filesize
2.2MB

MD5
c0fc2b146bed43c5ed8cc50857feb303

SHA1
0285d3594ca736ffc6fe94fdf0a3789cc0ce2aec

SHA256
14c6016ccf00d084372552aa9def31c986ca2bda0d0efea74dfa1cf069c9ec03

SHA512
1f1e73d5cd1abc61b1d3ba64a3e18b4546f9e94bd0b86b8d622ed218a680c64d2336bdca056133d3dc168cb42999754a9530d640f4411abec7ff2584d806ff0c

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.2MB

MD5
06abbf3e665b8c9d47eff270a2539f30

SHA1
fe72564d96c84d6f06542eadb90546c785bd9634

SHA256
a5fff46d7724cc8dbf481204362780788840904e710ade1d01abc427257a17fe

SHA512
ff2390a420a9732e3e6a4d876b8aabc757bdabadfc76f528229e73d284bc4bffe5985731bed162e29e28454c57372bba887bb21f457ffc545d9148840d423679

Download Submit
memory/468-1358-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/632-1266-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/792-1697-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/900-1443-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/916-2262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1156-611-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1492-2227-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1492-2325-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1544-2319-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1580-2083-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1592-999-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1596-1971-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1708-2084-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1744-1879-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1804-1880-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2032-707-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2128-37-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2128-63-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2128-52-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2140-1520-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2140-1523-0x0000000002B00000-0x0000000002C5C000-memory.dmp

Filesize
1.4MB

Download
memory/2144-1603-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2172-1070-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2204-2342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2292-1795-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2300-1161-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2324-1444-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2344-788-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2492-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2492-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2492-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2492-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2492-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-1698-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2692-1437-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2696-1524-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2720-1602-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2748-24-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2748-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2748-1525-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2748-12-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2748-13-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2772-893-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2844-2242-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2844-2238-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2848-1972-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2868-2276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2880-1796-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2920-2197-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2972-1797-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3036-1356-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3052-2085-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3204-2453-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3276-2440-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download