Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-09-2024 20:47

General

  • Target

    406b9b60b2b43b26fd8f4aebd0e5d4177eb2f1c146598e9ec10aa79b01339c5e.exe

  • Size

    2.2MB

  • MD5

    9446d6e2809a7fc3fe0da1f7e6ea2d6a

  • SHA1

    2d0f8823391fbf553ad12301e704140ca1b543d3

  • SHA256

    406b9b60b2b43b26fd8f4aebd0e5d4177eb2f1c146598e9ec10aa79b01339c5e

  • SHA512

    c9bd03b0bef4c895a027d7d87950018f4457d1f1df3e4b694f67a0e17eaae7f6a3324d5e1bce0216b5d021cbb2758a0655db0a97c21dd97a47ce61233d45406a

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZd:0UzeyQMS4DqodCnoe+iitjWwwx

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 49 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\406b9b60b2b43b26fd8f4aebd0e5d4177eb2f1c146598e9ec10aa79b01339c5e.exe
    "C:\Users\Admin\AppData\Local\Temp\406b9b60b2b43b26fd8f4aebd0e5d4177eb2f1c146598e9ec10aa79b01339c5e.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2096
      • C:\Users\Admin\AppData\Local\Temp\406b9b60b2b43b26fd8f4aebd0e5d4177eb2f1c146598e9ec10aa79b01339c5e.exe
        "C:\Users\Admin\AppData\Local\Temp\406b9b60b2b43b26fd8f4aebd0e5d4177eb2f1c146598e9ec10aa79b01339c5e.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2264
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2744
          • \??\c:\windows\system\explorer.exe
            "c:\windows\system\explorer.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1680
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:592
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1988
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:2032
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:1780
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1536
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2656
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2792
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:1476
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2276
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:360
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2140
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:2948
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2708
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1964
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:952
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1008
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:944
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2204
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:960
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:3312
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1828
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3160
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2964
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:3616
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:1644
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3456
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:3556
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2772
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3716
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2840
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4016
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • System Location Discovery: System Language Discovery
              PID:2876
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:3872
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:2680
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3860
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2472
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4080
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              PID:932
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:3076
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:3472
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:1596
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:3196
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:1824
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2688
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:1064
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3252
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2908
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:1520
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Drops file in Windows directory
                  PID:2208
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2400
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Suspicious use of SetWindowsHookEx
                PID:3256
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:2156
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                  PID:1908
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2500
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:1548
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:2812
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:3348
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:2028
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:888
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:2896
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:3356
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:2132
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                    PID:3372
                • \??\c:\windows\system\spoolsv.exe
                  c:\windows\system\spoolsv.exe SE
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:1292
                  • \??\c:\windows\system\spoolsv.exe
                    "c:\windows\system\spoolsv.exe"
                    6⤵
                      PID:3524
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    PID:1500
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:3364
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Drops file in Windows directory
                    PID:2596
                    • \??\c:\windows\system\spoolsv.exe
                      "c:\windows\system\spoolsv.exe"
                      6⤵
                        PID:3420
                    • \??\c:\windows\system\spoolsv.exe
                      c:\windows\system\spoolsv.exe SE
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      PID:616
                      • \??\c:\windows\system\spoolsv.exe
                        "c:\windows\system\spoolsv.exe"
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:3388
                    • \??\c:\windows\system\spoolsv.exe
                      c:\windows\system\spoolsv.exe SE
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Drops file in Windows directory
                      PID:2320
                      • \??\c:\windows\system\spoolsv.exe
                        "c:\windows\system\spoolsv.exe"
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:3512
                    • \??\c:\windows\system\spoolsv.exe
                      c:\windows\system\spoolsv.exe SE
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      PID:964
                      • \??\c:\windows\system\spoolsv.exe
                        "c:\windows\system\spoolsv.exe"
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:3380
                    • \??\c:\windows\system\spoolsv.exe
                      c:\windows\system\spoolsv.exe SE
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      PID:272
                      • \??\c:\windows\system\spoolsv.exe
                        "c:\windows\system\spoolsv.exe"
                        6⤵
                        • System Location Discovery: System Language Discovery
                        PID:2816
                    • \??\c:\windows\system\spoolsv.exe
                      c:\windows\system\spoolsv.exe SE
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      PID:2544
                      • \??\c:\windows\system\spoolsv.exe
                        "c:\windows\system\spoolsv.exe"
                        6⤵
                          PID:3444
                      • \??\c:\windows\system\spoolsv.exe
                        c:\windows\system\spoolsv.exe SE
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Drops file in Windows directory
                        • System Location Discovery: System Language Discovery
                        PID:2060
                        • \??\c:\windows\system\spoolsv.exe
                          "c:\windows\system\spoolsv.exe"
                          6⤵
                            PID:3612
                        • \??\c:\windows\system\spoolsv.exe
                          c:\windows\system\spoolsv.exe SE
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Drops file in Windows directory
                          • System Location Discovery: System Language Discovery
                          PID:1712
                          • \??\c:\windows\system\spoolsv.exe
                            "c:\windows\system\spoolsv.exe"
                            6⤵
                            • System Location Discovery: System Language Discovery
                            PID:3540
                        • \??\c:\windows\system\spoolsv.exe
                          c:\windows\system\spoolsv.exe SE
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • System Location Discovery: System Language Discovery
                          PID:2788
                          • \??\c:\windows\system\spoolsv.exe
                            "c:\windows\system\spoolsv.exe"
                            6⤵
                              PID:3592
                          • \??\c:\windows\system\spoolsv.exe
                            c:\windows\system\spoolsv.exe SE
                            5⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • Drops file in Windows directory
                            PID:2420
                            • \??\c:\windows\system\spoolsv.exe
                              "c:\windows\system\spoolsv.exe"
                              6⤵
                              • System Location Discovery: System Language Discovery
                              PID:3412
                          • \??\c:\windows\system\spoolsv.exe
                            c:\windows\system\spoolsv.exe SE
                            5⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • Drops file in Windows directory
                            • System Location Discovery: System Language Discovery
                            PID:1316
                            • \??\c:\windows\system\spoolsv.exe
                              "c:\windows\system\spoolsv.exe"
                              6⤵
                                PID:2976
                            • \??\c:\windows\system\spoolsv.exe
                              c:\windows\system\spoolsv.exe SE
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Drops file in Windows directory
                              • System Location Discovery: System Language Discovery
                              PID:1724
                              • \??\c:\windows\system\spoolsv.exe
                                "c:\windows\system\spoolsv.exe"
                                6⤵
                                • System Location Discovery: System Language Discovery
                                PID:3148
                            • \??\c:\windows\system\spoolsv.exe
                              c:\windows\system\spoolsv.exe SE
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Drops file in Windows directory
                              • System Location Discovery: System Language Discovery
                              PID:2696
                              • \??\c:\windows\system\spoolsv.exe
                                "c:\windows\system\spoolsv.exe"
                                6⤵
                                  PID:3600
                              • \??\c:\windows\system\spoolsv.exe
                                c:\windows\system\spoolsv.exe SE
                                5⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • Drops file in Windows directory
                                • System Location Discovery: System Language Discovery
                                PID:2912
                                • \??\c:\windows\system\spoolsv.exe
                                  "c:\windows\system\spoolsv.exe"
                                  6⤵
                                    PID:2000
                                • \??\c:\windows\system\spoolsv.exe
                                  c:\windows\system\spoolsv.exe SE
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • Drops file in Windows directory
                                  PID:1568
                                  • \??\c:\windows\system\spoolsv.exe
                                    "c:\windows\system\spoolsv.exe"
                                    6⤵
                                      PID:3788
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Drops file in Windows directory
                                    PID:1576
                                    • \??\c:\windows\system\spoolsv.exe
                                      "c:\windows\system\spoolsv.exe"
                                      6⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3396
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    • Drops file in Windows directory
                                    PID:1740
                                    • \??\c:\windows\system\spoolsv.exe
                                      "c:\windows\system\spoolsv.exe"
                                      6⤵
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2540
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    • System Location Discovery: System Language Discovery
                                    PID:2408
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • Executes dropped EXE
                                    PID:2080
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • Executes dropped EXE
                                    • Drops file in Windows directory
                                    • System Location Discovery: System Language Discovery
                                    PID:2636
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • Drops file in Windows directory
                                    PID:3728
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2576
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:3688
                                  • \??\c:\windows\system\spoolsv.exe
                                    c:\windows\system\spoolsv.exe SE
                                    5⤵
                                      PID:1716
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:3984
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      PID:3996
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:2284
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      PID:340
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      PID:2520
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      • System Location Discovery: System Language Discovery
                                      PID:1768
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      • System Location Discovery: System Language Discovery
                                      PID:1816
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      • System Location Discovery: System Language Discovery
                                      PID:3804
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      PID:780
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      • System Location Discovery: System Language Discovery
                                      PID:3636
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                      • Drops file in Windows directory
                                      • System Location Discovery: System Language Discovery
                                      PID:1600
                                    • \??\c:\windows\system\spoolsv.exe
                                      c:\windows\system\spoolsv.exe SE
                                      5⤵
                                        PID:2108

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Windows\Parameters.ini

                                Filesize

                                74B

                                MD5

                                6687785d6a31cdf9a5f80acb3abc459b

                                SHA1

                                1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

                                SHA256

                                3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

                                SHA512

                                5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

                              • \Windows\system\explorer.exe

                                Filesize

                                2.2MB

                                MD5

                                4ba57489ee45e87e7ef87093522d2a76

                                SHA1

                                da4c69f9be7eb6eb5693d499c53382cbf6bd6b0c

                                SHA256

                                4e03c72e0402a76f02df0c54512e62b08c2c544f4a41f34865a02f7e375125c8

                                SHA512

                                2b48d813614164247b254a2cffb6835b0ef3d226ba6bad8c3c55da7627fa7777160e3e2a9866ee8a528fe1cedc307fb1dcc71d9b5b0d0d2c604bcede759d75be

                              • \Windows\system\spoolsv.exe

                                Filesize

                                2.2MB

                                MD5

                                aac0795972ad6247b2621e8ec7f9627b

                                SHA1

                                fd90ad681b9101ce43b1a1f9696992fb435505ad

                                SHA256

                                a8c19d24e4561fdb0bb4ee482bd254a74dd3be1899debc47ac23e22639e9ac7e

                                SHA512

                                1dc07a3fcaa7a26c0c077c878c5fe380891b3886206b20453c5ae0cd983699d1432e5e3d5cd9ed9f1178138c09ebae602a26bd1eebba9660cdd7da43ff200e32

                              • memory/360-1106-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/592-747-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/932-1662-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/944-1369-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/952-1288-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/960-1380-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/1008-2215-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1064-1736-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/1292-2016-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/1476-1030-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/1520-2873-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1536-2061-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1596-1663-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/1644-1433-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/1680-646-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1780-828-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/1824-1735-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/1828-1381-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/1964-2128-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1988-2136-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/1988-2042-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2000-2916-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2000-2902-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2028-1880-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2132-1939-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2140-2154-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2156-1795-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2204-2177-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2252-17-0x00000000003C0000-0x00000000003C1000-memory.dmp

                                Filesize

                                4KB

                              • memory/2252-16-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2252-27-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2252-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

                                Filesize

                                4KB

                              • memory/2264-26-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2264-19-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2264-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                Filesize

                                4KB

                              • memory/2264-28-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2264-49-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2400-1789-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2472-1585-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2500-1863-0x0000000002BB0000-0x0000000002D0C000-memory.dmp

                                Filesize

                                1.4MB

                              • memory/2500-1860-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2540-2419-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2656-929-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2680-1584-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2708-1197-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2744-60-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2744-70-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2744-41-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2772-1515-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2792-2097-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2812-1879-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2816-2901-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2816-2933-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2840-1516-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2876-1517-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2896-1938-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2908-1737-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2964-1432-0x0000000000400000-0x00000000005D3000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2976-2927-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/2976-2900-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3148-2897-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3148-2928-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3196-2494-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3252-2553-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3256-2634-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3312-2253-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3348-2719-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3364-2770-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3372-2815-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3380-2896-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3420-2838-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3456-2425-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3456-2287-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3512-2889-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3524-2898-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3540-2899-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3592-2883-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3600-2903-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3600-2925-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3612-2844-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3616-2298-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3716-2319-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/4016-2381-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/4080-2401-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              We care about your privacy.

                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.