pony | 73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397

Analysis

max time kernel
103s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
Size

2.2MB
MD5

d9be2cd67652a5a56bb141fc8378ff50
SHA1

ba73c495a982a98f35fed09e57d61593e0474989
SHA256

73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397
SHA512

0d31b1158e4fa897bb3aedffa7bf1360098faff922c9ac8cd02a3056ddf42db74197e5832f9dcecc4ee59eddb42e7fc92ea7d39798b74d34e76505e9348c8a68
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZo:0UzeyQMS4DqodCnoe+iitjWww0

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe

Executes dropped EXE 63 IoCs

pid	Process
2836	explorer.exe
1196	explorer.exe
4868	spoolsv.exe
4828	spoolsv.exe
1756	spoolsv.exe
5088	spoolsv.exe
2748	spoolsv.exe
4924	spoolsv.exe
1036	spoolsv.exe
4848	spoolsv.exe
3084	spoolsv.exe
2720	spoolsv.exe
4648	spoolsv.exe
4056	spoolsv.exe
1580	spoolsv.exe
4064	spoolsv.exe
544	spoolsv.exe
3600	spoolsv.exe
1852	spoolsv.exe
2636	spoolsv.exe
3948	spoolsv.exe
1560	spoolsv.exe
2268	spoolsv.exe
2240	spoolsv.exe
3272	spoolsv.exe
2212	spoolsv.exe
704	spoolsv.exe
4816	spoolsv.exe
1996	spoolsv.exe
1508	spoolsv.exe
4556	spoolsv.exe
4900	spoolsv.exe
1952	spoolsv.exe
2684	spoolsv.exe
3504	explorer.exe
2948	spoolsv.exe
2372	spoolsv.exe
3860	spoolsv.exe
336	spoolsv.exe
4548	explorer.exe
4884	spoolsv.exe
640	spoolsv.exe
2656	spoolsv.exe
2044	spoolsv.exe
1688	spoolsv.exe
3960	spoolsv.exe
3004	explorer.exe
432	spoolsv.exe
4908	spoolsv.exe
4364	spoolsv.exe
5028	spoolsv.exe
3280	explorer.exe
5024	spoolsv.exe
5096	spoolsv.exe
2436	spoolsv.exe
1264	explorer.exe
3892	spoolsv.exe
3896	spoolsv.exe
460	spoolsv.exe
4580	spoolsv.exe
1856	spoolsv.exe
220	explorer.exe
4456	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 21 IoCs

description	pid	Process	procid_target
PID 1560 set thread context of 2028	1560	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	91
PID 2836 set thread context of 1196	2836	explorer.exe	95
PID 4868 set thread context of 2684	4868	spoolsv.exe	127
PID 4828 set thread context of 2948	4828	spoolsv.exe	129
PID 1756 set thread context of 2372	1756	spoolsv.exe	130
PID 5088 set thread context of 336	5088	spoolsv.exe	132
PID 2748 set thread context of 4884	2748	spoolsv.exe	134
PID 4924 set thread context of 640	4924	spoolsv.exe	135
PID 1036 set thread context of 2656	1036	spoolsv.exe	136
PID 4848 set thread context of 1688	4848	spoolsv.exe	138
PID 3084 set thread context of 3960	3084	spoolsv.exe	139
PID 2720 set thread context of 432	2720	spoolsv.exe	141
PID 4648 set thread context of 4364	4648	spoolsv.exe	143
PID 4056 set thread context of 5028	4056	spoolsv.exe	144
PID 1580 set thread context of 5024	1580	spoolsv.exe	146
PID 4064 set thread context of 2436	4064	spoolsv.exe	148
PID 544 set thread context of 3892	544	spoolsv.exe	150
PID 3600 set thread context of 3896	3600	spoolsv.exe	151
PID 1852 set thread context of 460	1852	spoolsv.exe	152
PID 2636 set thread context of 1856	2636	spoolsv.exe	154
PID 3948 set thread context of 4456	3948	spoolsv.exe	156

Drops file in Windows directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
2028	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
2028	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
2028	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
1196	explorer.exe
2684	spoolsv.exe
2684	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
2372	spoolsv.exe
2372	spoolsv.exe
336	spoolsv.exe
336	spoolsv.exe
4884	spoolsv.exe
4884	spoolsv.exe
640	spoolsv.exe
640	spoolsv.exe
2656	spoolsv.exe
2656	spoolsv.exe
1688	spoolsv.exe
1688	spoolsv.exe
3960	spoolsv.exe
3960	spoolsv.exe
432	spoolsv.exe
432	spoolsv.exe
4364	spoolsv.exe
4364	spoolsv.exe
5028	spoolsv.exe
5028	spoolsv.exe
5024	spoolsv.exe
5024	spoolsv.exe
2436	spoolsv.exe
2436	spoolsv.exe
3892	spoolsv.exe
3892	spoolsv.exe
3896	spoolsv.exe
3896	spoolsv.exe
460	spoolsv.exe
460	spoolsv.exe
1856	spoolsv.exe
1856	spoolsv.exe
4456	spoolsv.exe
4456	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 3000	1560	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	82
PID 1560 wrote to memory of 3000	1560	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	82
PID 1560 wrote to memory of 2028	1560	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	91
PID 1560 wrote to memory of 2028	1560	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	91
PID 1560 wrote to memory of 2028	1560	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	91
PID 1560 wrote to memory of 2028	1560	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	91
PID 1560 wrote to memory of 2028	1560	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	91
PID 2028 wrote to memory of 2836	2028	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	92
PID 2028 wrote to memory of 2836	2028	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	92
PID 2028 wrote to memory of 2836	2028	73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe	92
PID 2836 wrote to memory of 1196	2836	explorer.exe	95
PID 2836 wrote to memory of 1196	2836	explorer.exe	95
PID 2836 wrote to memory of 1196	2836	explorer.exe	95
PID 2836 wrote to memory of 1196	2836	explorer.exe	95
PID 2836 wrote to memory of 1196	2836	explorer.exe	95
PID 1196 wrote to memory of 4868	1196	explorer.exe	96
PID 1196 wrote to memory of 4868	1196	explorer.exe	96
PID 1196 wrote to memory of 4868	1196	explorer.exe	96
PID 1196 wrote to memory of 4828	1196	explorer.exe	97
PID 1196 wrote to memory of 4828	1196	explorer.exe	97
PID 1196 wrote to memory of 4828	1196	explorer.exe	97
PID 1196 wrote to memory of 1756	1196	explorer.exe	98
PID 1196 wrote to memory of 1756	1196	explorer.exe	98
PID 1196 wrote to memory of 1756	1196	explorer.exe	98
PID 1196 wrote to memory of 5088	1196	explorer.exe	99
PID 1196 wrote to memory of 5088	1196	explorer.exe	99
PID 1196 wrote to memory of 5088	1196	explorer.exe	99
PID 1196 wrote to memory of 2748	1196	explorer.exe	100
PID 1196 wrote to memory of 2748	1196	explorer.exe	100
PID 1196 wrote to memory of 2748	1196	explorer.exe	100
PID 1196 wrote to memory of 4924	1196	explorer.exe	101
PID 1196 wrote to memory of 4924	1196	explorer.exe	101
PID 1196 wrote to memory of 4924	1196	explorer.exe	101
PID 1196 wrote to memory of 1036	1196	explorer.exe	102
PID 1196 wrote to memory of 1036	1196	explorer.exe	102
PID 1196 wrote to memory of 1036	1196	explorer.exe	102
PID 1196 wrote to memory of 4848	1196	explorer.exe	103
PID 1196 wrote to memory of 4848	1196	explorer.exe	103
PID 1196 wrote to memory of 4848	1196	explorer.exe	103
PID 1196 wrote to memory of 3084	1196	explorer.exe	104
PID 1196 wrote to memory of 3084	1196	explorer.exe	104
PID 1196 wrote to memory of 3084	1196	explorer.exe	104
PID 1196 wrote to memory of 2720	1196	explorer.exe	105
PID 1196 wrote to memory of 2720	1196	explorer.exe	105
PID 1196 wrote to memory of 2720	1196	explorer.exe	105
PID 1196 wrote to memory of 4648	1196	explorer.exe	106
PID 1196 wrote to memory of 4648	1196	explorer.exe	106
PID 1196 wrote to memory of 4648	1196	explorer.exe	106
PID 1196 wrote to memory of 4056	1196	explorer.exe	107
PID 1196 wrote to memory of 4056	1196	explorer.exe	107
PID 1196 wrote to memory of 4056	1196	explorer.exe	107
PID 1196 wrote to memory of 1580	1196	explorer.exe	108
PID 1196 wrote to memory of 1580	1196	explorer.exe	108
PID 1196 wrote to memory of 1580	1196	explorer.exe	108
PID 1196 wrote to memory of 4064	1196	explorer.exe	109
PID 1196 wrote to memory of 4064	1196	explorer.exe	109
PID 1196 wrote to memory of 4064	1196	explorer.exe	109
PID 1196 wrote to memory of 544	1196	explorer.exe	110
PID 1196 wrote to memory of 544	1196	explorer.exe	110
PID 1196 wrote to memory of 544	1196	explorer.exe	110
PID 1196 wrote to memory of 3600	1196	explorer.exe	111
PID 1196 wrote to memory of 3600	1196	explorer.exe	111
PID 1196 wrote to memory of 3600	1196	explorer.exe	111
PID 1196 wrote to memory of 1852	1196	explorer.exe	112

C:\Users\Admin\AppData\Local\Temp\73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
"C:\Users\Admin\AppData\Local\Temp\73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3000
- C:\Users\Admin\AppData\Local\Temp\73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe
  "C:\Users\Admin\AppData\Local\Temp\73234ea085f3ef3446edaafb490059a4548e0b7b7c4b0dc7ad814d64a2ec7397N.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2028
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4868
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4828
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1756
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5088
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:336
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:4844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2748
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4924
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1036
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4848
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3084
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3960
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2720
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4648
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4056
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5028
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1580
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4064
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:544
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3600
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1852
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2636
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3948
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1560
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2268
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2240
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2336
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:4040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3272
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2212
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:704
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4816
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1996
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:3132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1508
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4564
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4556
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4900
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:5104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1952
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4320
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:2116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3860
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1032
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
983cab6c36e1a6aa38e557f1409cc975

SHA1
25156b06540983bf6fb50812057fdca9503734c0

SHA256
7838f1708e9785d3aa476f50c5ddcd3b40501c740a96379df2b7779d31b08f4a

SHA512
efbb816d7a3224eed41d223ba027e4a588ad3fb24f9f58e2eb0573dcb9b984c2c26c14f2322dca18543822ed02d3872cf9cdea4ceacddaad5bd3af58ae0d47c1

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
1cdc6b57d8331c5fd97acafbd9903c9d

SHA1
464e158f8c8db601b9974addce36e58b7e97afb7

SHA256
dba73799df8178a33c5f1457cc2010269651b78457e8c9bba489301b6baafb26

SHA512
286f4aadaa320e941bd5ba7271ae705e1b77c3a89cd2c1e11d61665d2ffaf734c5324a63b8003f7bad7b78a0228fe4f39cc88bfcf149e8424c5a6f600eaba7b4

Download Submit
memory/336-2149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/336-2306-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/432-2334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/460-2718-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/544-1750-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/640-2173-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-2169-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/956-3302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/956-3298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1032-3669-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1036-1202-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1196-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1196-655-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-3111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-3108-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-2015-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1560-0-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/1560-48-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1560-42-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/1560-41-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1580-1631-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1688-2247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-2244-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-3078-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1756-2037-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1756-948-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1852-1809-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1856-2857-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1856-3020-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-45-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-82-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/2028-84-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2240-2031-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2268-2030-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2336-3069-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-2040-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2436-2685-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2436-2796-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2636-1941-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2656-2180-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2684-2090-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2684-2016-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2720-1377-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2740-3087-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2748-1075-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2836-90-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2836-95-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2948-2026-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3084-1319-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3132-3120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3272-2142-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3600-1752-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3892-2694-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3896-2706-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-2014-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3960-2491-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3960-2322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3984-2878-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3984-2882-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4020-2889-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4056-1509-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4064-1693-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4320-3506-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-2438-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4456-2870-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4456-2866-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4564-3290-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4564-3098-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4648-1433-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4780-3393-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4828-887-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4828-2028-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4844-3679-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4848-1318-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4868-2017-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4868-727-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4884-2158-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4924-1126-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5024-2519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-2510-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5028-2653-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5088-1014-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5104-3310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download