pony | 5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330

Analysis

max time kernel
119s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe
Size

2.2MB
MD5

fb3c7698b6986d4ffb9bd58e1562f930
SHA1

f3a0fd6124a7f0b8f711e9ed553bffb93cf77f85
SHA256

5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330
SHA512

0ed37842da4eb1487c5f80148d00821155f68908665af989153829c176629a8d66857731d8cbc08b3434d902536000abe4489538b9e641cb222185def5b1e15f
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZU:0UzeyQMS4DqodCnoe+iitjWwwI

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe

Executes dropped EXE 64 IoCs

pid	Process
1608	explorer.exe
3312	explorer.exe
2844	spoolsv.exe
4236	spoolsv.exe
3492	spoolsv.exe
452	spoolsv.exe
3000	spoolsv.exe
4588	spoolsv.exe
4136	spoolsv.exe
2428	spoolsv.exe
208	spoolsv.exe
2804	spoolsv.exe
1552	spoolsv.exe
764	spoolsv.exe
4152	spoolsv.exe
704	spoolsv.exe
3204	spoolsv.exe
3164	spoolsv.exe
3484	spoolsv.exe
3348	spoolsv.exe
2968	spoolsv.exe
1280	spoolsv.exe
4124	spoolsv.exe
2780	spoolsv.exe
3588	spoolsv.exe
4468	spoolsv.exe
4664	spoolsv.exe
692	explorer.exe
4544	spoolsv.exe
2816	spoolsv.exe
3296	spoolsv.exe
1868	spoolsv.exe
2548	spoolsv.exe
3372	spoolsv.exe
3368	spoolsv.exe
212	spoolsv.exe
1900	spoolsv.exe
1664	spoolsv.exe
5000	spoolsv.exe
1228	spoolsv.exe
2004	explorer.exe
1384	spoolsv.exe
4948	spoolsv.exe
2408	explorer.exe
1612	spoolsv.exe
3948	spoolsv.exe
4912	spoolsv.exe
3024	spoolsv.exe
2736	explorer.exe
3188	spoolsv.exe
2204	spoolsv.exe
4896	spoolsv.exe
3664	explorer.exe
4412	spoolsv.exe
3692	spoolsv.exe
620	spoolsv.exe
2532	spoolsv.exe
2560	explorer.exe
1596	spoolsv.exe
3820	spoolsv.exe
892	spoolsv.exe
4940	spoolsv.exe
1396	explorer.exe
3292	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 26 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 3532	1320	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe	91
PID 1608 set thread context of 3312	1608	explorer.exe	95
PID 2844 set thread context of 4664	2844	spoolsv.exe	120
PID 4236 set thread context of 4544	4236	spoolsv.exe	122
PID 3492 set thread context of 2816	3492	spoolsv.exe	123
PID 452 set thread context of 3296	452	spoolsv.exe	124
PID 3000 set thread context of 1868	3000	spoolsv.exe	125
PID 4588 set thread context of 2548	4588	spoolsv.exe	126
PID 4136 set thread context of 3372	4136	spoolsv.exe	127
PID 2428 set thread context of 3368	2428	spoolsv.exe	128
PID 208 set thread context of 212	208	spoolsv.exe	129
PID 2804 set thread context of 1664	2804	spoolsv.exe	131
PID 1552 set thread context of 5000	1552	spoolsv.exe	132
PID 764 set thread context of 1228	764	spoolsv.exe	133
PID 4152 set thread context of 4948	4152	spoolsv.exe	136
PID 704 set thread context of 3948	704	spoolsv.exe	139
PID 3204 set thread context of 3024	3204	spoolsv.exe	141
PID 3164 set thread context of 3188	3164	spoolsv.exe	143
PID 3484 set thread context of 4896	3484	spoolsv.exe	145
PID 3348 set thread context of 3692	3348	spoolsv.exe	148
PID 2968 set thread context of 2532	2968	spoolsv.exe	150
PID 1280 set thread context of 3820	1280	spoolsv.exe	153
PID 4124 set thread context of 4940	4124	spoolsv.exe	155
PID 2780 set thread context of 1540	2780	spoolsv.exe	158
PID 3588 set thread context of 3008	3588	spoolsv.exe	159
PID 4468 set thread context of 1972	4468	spoolsv.exe	167

Drops file in Windows directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3532	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe
3532	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
3532	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe
3532	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
3312	explorer.exe
4664	spoolsv.exe
4664	spoolsv.exe
4544	spoolsv.exe
4544	spoolsv.exe
2816	spoolsv.exe
2816	spoolsv.exe
3296	spoolsv.exe
3296	spoolsv.exe
1868	spoolsv.exe
1868	spoolsv.exe
2548	spoolsv.exe
2548	spoolsv.exe
3372	spoolsv.exe
3372	spoolsv.exe
3368	spoolsv.exe
3368	spoolsv.exe
212	spoolsv.exe
212	spoolsv.exe
1664	spoolsv.exe
1664	spoolsv.exe
5000	spoolsv.exe
5000	spoolsv.exe
1228	spoolsv.exe
1228	spoolsv.exe
4948	spoolsv.exe
4948	spoolsv.exe
3948	spoolsv.exe
3948	spoolsv.exe
3024	spoolsv.exe
3024	spoolsv.exe
3188	spoolsv.exe
3188	spoolsv.exe
4896	spoolsv.exe
4896	spoolsv.exe
3692	spoolsv.exe
3692	spoolsv.exe
2532	spoolsv.exe
2532	spoolsv.exe
3820	spoolsv.exe
3820	spoolsv.exe
4940	spoolsv.exe
4940	spoolsv.exe
1540	spoolsv.exe
1540	spoolsv.exe
3008	spoolsv.exe
3008	spoolsv.exe
1972	spoolsv.exe
1972	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2720	1320	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe	82
PID 1320 wrote to memory of 2720	1320	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe	82
PID 1320 wrote to memory of 3532	1320	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe	91
PID 1320 wrote to memory of 3532	1320	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe	91
PID 1320 wrote to memory of 3532	1320	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe	91
PID 1320 wrote to memory of 3532	1320	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe	91
PID 1320 wrote to memory of 3532	1320	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe	91
PID 3532 wrote to memory of 1608	3532	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe	92
PID 3532 wrote to memory of 1608	3532	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe	92
PID 3532 wrote to memory of 1608	3532	5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe	92
PID 1608 wrote to memory of 3312	1608	explorer.exe	95
PID 1608 wrote to memory of 3312	1608	explorer.exe	95
PID 1608 wrote to memory of 3312	1608	explorer.exe	95
PID 1608 wrote to memory of 3312	1608	explorer.exe	95
PID 1608 wrote to memory of 3312	1608	explorer.exe	95
PID 3312 wrote to memory of 2844	3312	explorer.exe	96
PID 3312 wrote to memory of 2844	3312	explorer.exe	96
PID 3312 wrote to memory of 2844	3312	explorer.exe	96
PID 3312 wrote to memory of 4236	3312	explorer.exe	97
PID 3312 wrote to memory of 4236	3312	explorer.exe	97
PID 3312 wrote to memory of 4236	3312	explorer.exe	97
PID 3312 wrote to memory of 3492	3312	explorer.exe	98
PID 3312 wrote to memory of 3492	3312	explorer.exe	98
PID 3312 wrote to memory of 3492	3312	explorer.exe	98
PID 3312 wrote to memory of 452	3312	explorer.exe	99
PID 3312 wrote to memory of 452	3312	explorer.exe	99
PID 3312 wrote to memory of 452	3312	explorer.exe	99
PID 3312 wrote to memory of 3000	3312	explorer.exe	100
PID 3312 wrote to memory of 3000	3312	explorer.exe	100
PID 3312 wrote to memory of 3000	3312	explorer.exe	100
PID 3312 wrote to memory of 4588	3312	explorer.exe	101
PID 3312 wrote to memory of 4588	3312	explorer.exe	101
PID 3312 wrote to memory of 4588	3312	explorer.exe	101
PID 3312 wrote to memory of 4136	3312	explorer.exe	102
PID 3312 wrote to memory of 4136	3312	explorer.exe	102
PID 3312 wrote to memory of 4136	3312	explorer.exe	102
PID 3312 wrote to memory of 2428	3312	explorer.exe	103
PID 3312 wrote to memory of 2428	3312	explorer.exe	103
PID 3312 wrote to memory of 2428	3312	explorer.exe	103
PID 3312 wrote to memory of 208	3312	explorer.exe	104
PID 3312 wrote to memory of 208	3312	explorer.exe	104
PID 3312 wrote to memory of 208	3312	explorer.exe	104
PID 3312 wrote to memory of 2804	3312	explorer.exe	105
PID 3312 wrote to memory of 2804	3312	explorer.exe	105
PID 3312 wrote to memory of 2804	3312	explorer.exe	105
PID 3312 wrote to memory of 1552	3312	explorer.exe	106
PID 3312 wrote to memory of 1552	3312	explorer.exe	106
PID 3312 wrote to memory of 1552	3312	explorer.exe	106
PID 3312 wrote to memory of 764	3312	explorer.exe	107
PID 3312 wrote to memory of 764	3312	explorer.exe	107
PID 3312 wrote to memory of 764	3312	explorer.exe	107
PID 3312 wrote to memory of 4152	3312	explorer.exe	108
PID 3312 wrote to memory of 4152	3312	explorer.exe	108
PID 3312 wrote to memory of 4152	3312	explorer.exe	108
PID 3312 wrote to memory of 704	3312	explorer.exe	109
PID 3312 wrote to memory of 704	3312	explorer.exe	109
PID 3312 wrote to memory of 704	3312	explorer.exe	109
PID 3312 wrote to memory of 3204	3312	explorer.exe	110
PID 3312 wrote to memory of 3204	3312	explorer.exe	110
PID 3312 wrote to memory of 3204	3312	explorer.exe	110
PID 3312 wrote to memory of 3164	3312	explorer.exe	111
PID 3312 wrote to memory of 3164	3312	explorer.exe	111
PID 3312 wrote to memory of 3164	3312	explorer.exe	111
PID 3312 wrote to memory of 3484	3312	explorer.exe	112

C:\Users\Admin\AppData\Local\Temp\5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe
"C:\Users\Admin\AppData\Local\Temp\5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe
  "C:\Users\Admin\AppData\Local\Temp\5d379b5b7954a69c917862bfd56c947b42914ad6c3987c84706a2ad8724f0330N.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3532
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2844
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4664
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4236
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3492
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:452
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3000
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4588
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4136
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2428
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:208
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2804
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1552
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:764
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1228
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4152
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4948
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:704
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3204
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3164
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3484
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4896
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3348
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2968
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2532
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1280
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4124
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4940
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2780
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3588
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4468
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
f0a0ec06356557536801f6a58c0b3d08

SHA1
6e524309b4add1c14c93fe260ba3b8f4adfff402

SHA256
ffadadb59b4db46f9aa60e87bfaf7a7ae770375524abbcca6c5d56040e0031cf

SHA512
d320dfa73d41addfe17e1fd5b07e35cbb0771200e38caae01413546f9432b058e152479f7f46deb76c52ceaf0511c54998e96c10e49c495e7557aa39b8e1a1b5

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
e1b1a9c64388ec78b10a208e957758f9

SHA1
7f97d09965b038ece8894d467d820adbfc594960

SHA256
a18e5ce206a3c3c7b7ad70749eaa7c409b201974fdf31bb3f0a9508ca512dd3c

SHA512
5452d3ee1ab1d4d54bf2414c345450c776a4ff20695f53196f63cb482a65c632271e3b2f25aae4530508af3656ed56f615284af4378917d8fb520f4bd17fe278

Download Submit
memory/208-1103-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/212-1711-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/452-1634-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/452-963-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/704-1418-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/764-1226-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1228-2019-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1280-1618-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1320-35-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1320-0-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1320-26-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1320-27-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1540-2841-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1552-1210-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1608-74-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1608-80-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1664-1789-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1868-1647-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2428-1042-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2532-2554-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-2695-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-1658-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2804-1104-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2816-1625-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2844-900-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2844-1606-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2968-1613-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3000-1029-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3008-2991-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-2217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3024-2330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3164-1469-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3188-2227-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3204-1421-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3296-1637-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-899-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3312-79-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3348-1599-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3368-1678-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3372-1669-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3484-1598-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3492-1624-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3492-962-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3532-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3532-30-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3532-67-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/3532-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3692-2435-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3948-2114-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4136-1041-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4152-1283-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4236-961-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4236-1615-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4544-1614-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4588-1030-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4664-1868-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4896-2476-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4940-2767-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4940-2876-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4948-2155-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4948-2024-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-1800-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5000-1796-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download