pony | 8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9

Analysis

max time kernel
111s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2024, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe
Size

2.2MB
MD5

44cc7d3fdcf0cc3c88c16bedebde2170
SHA1

a25ca6bfaf84fc5c69fc9755fa15fd0506c079a8
SHA256

8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9
SHA512

1ab86b5afa92d812e99beb0e09b84fde1e4027690269b1fc92f9a99c36516b9d4f2ee3b5a09b795277db2455da17b68d0aa3c714c05743f3a44a04955eb0967e
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZC:0UzeyQMS4DqodCnoe+iitjWwwm

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe

Executes dropped EXE 64 IoCs

pid	Process
3112	explorer.exe
2680	explorer.exe
3468	spoolsv.exe
1868	spoolsv.exe
1732	spoolsv.exe
3292	spoolsv.exe
3792	spoolsv.exe
4376	spoolsv.exe
728	spoolsv.exe
1076	spoolsv.exe
3432	spoolsv.exe
3548	spoolsv.exe
4832	spoolsv.exe
4464	spoolsv.exe
5044	spoolsv.exe
3160	spoolsv.exe
3996	spoolsv.exe
2996	spoolsv.exe
3360	spoolsv.exe
2736	spoolsv.exe
876	spoolsv.exe
4392	spoolsv.exe
4048	spoolsv.exe
1352	spoolsv.exe
2580	spoolsv.exe
2484	spoolsv.exe
3328	spoolsv.exe
4716	spoolsv.exe
3336	spoolsv.exe
4808	spoolsv.exe
2912	spoolsv.exe
1952	spoolsv.exe
2556	spoolsv.exe
1480	spoolsv.exe
2628	spoolsv.exe
5092	spoolsv.exe
1072	explorer.exe
4448	spoolsv.exe
5128	spoolsv.exe
5172	spoolsv.exe
5280	spoolsv.exe
5356	spoolsv.exe
5416	spoolsv.exe
5476	spoolsv.exe
5540	spoolsv.exe
5600	spoolsv.exe
5712	spoolsv.exe
6056	spoolsv.exe
6104	explorer.exe
1816	spoolsv.exe
3896	spoolsv.exe
5264	spoolsv.exe
5212	spoolsv.exe
5392	spoolsv.exe
2132	spoolsv.exe
5340	spoolsv.exe
3524	spoolsv.exe
3220	spoolsv.exe
5808	spoolsv.exe
5992	explorer.exe
6052	spoolsv.exe
2336	spoolsv.exe
3232	spoolsv.exe
4132	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 34 IoCs

description	pid	Process	procid_target
PID 3164 set thread context of 1196	3164	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe	96
PID 3112 set thread context of 2680	3112	explorer.exe	101
PID 3468 set thread context of 5092	3468	spoolsv.exe	136
PID 1868 set thread context of 4448	1868	spoolsv.exe	138
PID 1732 set thread context of 5128	1732	spoolsv.exe	139
PID 3292 set thread context of 5280	3292	spoolsv.exe	141
PID 3792 set thread context of 5356	3792	spoolsv.exe	142
PID 4376 set thread context of 5416	4376	spoolsv.exe	143
PID 728 set thread context of 5476	728	spoolsv.exe	144
PID 1076 set thread context of 5540	1076	spoolsv.exe	145
PID 3432 set thread context of 5600	3432	spoolsv.exe	146
PID 3548 set thread context of 5712	3548	spoolsv.exe	147
PID 4832 set thread context of 6056	4832	spoolsv.exe	148
PID 4464 set thread context of 1816	4464	spoolsv.exe	150
PID 5044 set thread context of 3896	5044	spoolsv.exe	151
PID 3160 set thread context of 5264	3160	spoolsv.exe	152
PID 3996 set thread context of 5392	3996	spoolsv.exe	154
PID 2996 set thread context of 2132	2996	spoolsv.exe	155
PID 3360 set thread context of 5340	3360	spoolsv.exe	156
PID 2736 set thread context of 3524	2736	spoolsv.exe	157
PID 876 set thread context of 3220	876	spoolsv.exe	158
PID 4392 set thread context of 5808	4392	spoolsv.exe	159
PID 4048 set thread context of 2336	4048	spoolsv.exe	163
PID 1352 set thread context of 3232	1352	spoolsv.exe	164
PID 2580 set thread context of 4132	2580	spoolsv.exe	165
PID 2484 set thread context of 5060	2484	spoolsv.exe	166
PID 3328 set thread context of 5488	3328	spoolsv.exe	168
PID 4716 set thread context of 5548	4716	spoolsv.exe	170
PID 3336 set thread context of 364	3336	spoolsv.exe	171
PID 4808 set thread context of 4736	4808	spoolsv.exe	172
PID 2912 set thread context of 5656	2912	spoolsv.exe	173
PID 1952 set thread context of 6012	1952	spoolsv.exe	175
PID 2556 set thread context of 5116	2556	spoolsv.exe	176
PID 1480 set thread context of 1560	1480	spoolsv.exe	177

Drops file in Windows directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1196	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe
1196	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1196	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe
1196	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
5092	spoolsv.exe
5092	spoolsv.exe
4448	spoolsv.exe
4448	spoolsv.exe
5128	spoolsv.exe
5128	spoolsv.exe
5280	spoolsv.exe
5280	spoolsv.exe
5356	spoolsv.exe
5356	spoolsv.exe
5416	spoolsv.exe
5416	spoolsv.exe
5476	spoolsv.exe
5476	spoolsv.exe
5540	spoolsv.exe
5540	spoolsv.exe
5600	spoolsv.exe
5600	spoolsv.exe
5712	spoolsv.exe
5712	spoolsv.exe
6056	spoolsv.exe
6056	spoolsv.exe
1816	spoolsv.exe
1816	spoolsv.exe
3896	spoolsv.exe
3896	spoolsv.exe
5264	spoolsv.exe
5264	spoolsv.exe
5392	spoolsv.exe
5392	spoolsv.exe
2132	spoolsv.exe
2132	spoolsv.exe
5340	spoolsv.exe
5340	spoolsv.exe
3524	spoolsv.exe
3524	spoolsv.exe
3220	spoolsv.exe
3220	spoolsv.exe
5808	spoolsv.exe
5808	spoolsv.exe
2336	spoolsv.exe
2336	spoolsv.exe
3232	spoolsv.exe
3232	spoolsv.exe
4132	spoolsv.exe
4132	spoolsv.exe
5060	spoolsv.exe
5060	spoolsv.exe
5488	spoolsv.exe
5488	spoolsv.exe
5548	spoolsv.exe
5548	spoolsv.exe
364	spoolsv.exe
364	spoolsv.exe
4736	spoolsv.exe
4736	spoolsv.exe
5656	spoolsv.exe
5656	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3164 wrote to memory of 4984	3164	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe	84
PID 3164 wrote to memory of 4984	3164	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe	84
PID 3164 wrote to memory of 1196	3164	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe	96
PID 3164 wrote to memory of 1196	3164	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe	96
PID 3164 wrote to memory of 1196	3164	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe	96
PID 3164 wrote to memory of 1196	3164	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe	96
PID 3164 wrote to memory of 1196	3164	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe	96
PID 1196 wrote to memory of 3112	1196	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe	97
PID 1196 wrote to memory of 3112	1196	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe	97
PID 1196 wrote to memory of 3112	1196	8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe	97
PID 3112 wrote to memory of 2680	3112	explorer.exe	101
PID 3112 wrote to memory of 2680	3112	explorer.exe	101
PID 3112 wrote to memory of 2680	3112	explorer.exe	101
PID 3112 wrote to memory of 2680	3112	explorer.exe	101
PID 3112 wrote to memory of 2680	3112	explorer.exe	101
PID 2680 wrote to memory of 3468	2680	explorer.exe	102
PID 2680 wrote to memory of 3468	2680	explorer.exe	102
PID 2680 wrote to memory of 3468	2680	explorer.exe	102
PID 2680 wrote to memory of 1868	2680	explorer.exe	103
PID 2680 wrote to memory of 1868	2680	explorer.exe	103
PID 2680 wrote to memory of 1868	2680	explorer.exe	103
PID 2680 wrote to memory of 1732	2680	explorer.exe	104
PID 2680 wrote to memory of 1732	2680	explorer.exe	104
PID 2680 wrote to memory of 1732	2680	explorer.exe	104
PID 2680 wrote to memory of 3292	2680	explorer.exe	105
PID 2680 wrote to memory of 3292	2680	explorer.exe	105
PID 2680 wrote to memory of 3292	2680	explorer.exe	105
PID 2680 wrote to memory of 3792	2680	explorer.exe	106
PID 2680 wrote to memory of 3792	2680	explorer.exe	106
PID 2680 wrote to memory of 3792	2680	explorer.exe	106
PID 2680 wrote to memory of 4376	2680	explorer.exe	107
PID 2680 wrote to memory of 4376	2680	explorer.exe	107
PID 2680 wrote to memory of 4376	2680	explorer.exe	107
PID 2680 wrote to memory of 728	2680	explorer.exe	108
PID 2680 wrote to memory of 728	2680	explorer.exe	108
PID 2680 wrote to memory of 728	2680	explorer.exe	108
PID 2680 wrote to memory of 1076	2680	explorer.exe	109
PID 2680 wrote to memory of 1076	2680	explorer.exe	109
PID 2680 wrote to memory of 1076	2680	explorer.exe	109
PID 2680 wrote to memory of 3432	2680	explorer.exe	110
PID 2680 wrote to memory of 3432	2680	explorer.exe	110
PID 2680 wrote to memory of 3432	2680	explorer.exe	110
PID 2680 wrote to memory of 3548	2680	explorer.exe	111
PID 2680 wrote to memory of 3548	2680	explorer.exe	111
PID 2680 wrote to memory of 3548	2680	explorer.exe	111
PID 2680 wrote to memory of 4832	2680	explorer.exe	112
PID 2680 wrote to memory of 4832	2680	explorer.exe	112
PID 2680 wrote to memory of 4832	2680	explorer.exe	112
PID 2680 wrote to memory of 4464	2680	explorer.exe	113
PID 2680 wrote to memory of 4464	2680	explorer.exe	113
PID 2680 wrote to memory of 4464	2680	explorer.exe	113
PID 2680 wrote to memory of 5044	2680	explorer.exe	115
PID 2680 wrote to memory of 5044	2680	explorer.exe	115
PID 2680 wrote to memory of 5044	2680	explorer.exe	115
PID 2680 wrote to memory of 3160	2680	explorer.exe	116
PID 2680 wrote to memory of 3160	2680	explorer.exe	116
PID 2680 wrote to memory of 3160	2680	explorer.exe	116
PID 2680 wrote to memory of 3996	2680	explorer.exe	117
PID 2680 wrote to memory of 3996	2680	explorer.exe	117
PID 2680 wrote to memory of 3996	2680	explorer.exe	117
PID 2680 wrote to memory of 2996	2680	explorer.exe	118
PID 2680 wrote to memory of 2996	2680	explorer.exe	118
PID 2680 wrote to memory of 2996	2680	explorer.exe	118
PID 2680 wrote to memory of 3360	2680	explorer.exe	119

C:\Users\Admin\AppData\Local\Temp\8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe
"C:\Users\Admin\AppData\Local\Temp\8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:4984
- C:\Users\Admin\AppData\Local\Temp\8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe
  "C:\Users\Admin\AppData\Local\Temp\8c1947a4e551afe1fe6586fde418ed802670cf179d49b08677a0f70d00a6a4d9N.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1196
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3468
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        
        PID:1192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1868
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1732
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3292
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3792
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4376
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:728
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1076
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3432
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3548
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4832
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6056
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4464
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5044
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3160
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3996
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2996
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3360
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2736
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:876
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4392
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5808
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4048
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1352
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2580
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2484
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3328
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5488
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4716
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3336
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4808
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2912
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1952
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2556
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1480
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:1560
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2628
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:2032
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:6052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
607c507aa8b9815da9d53cfcc515267e

SHA1
f48d79399be3a491fdc935a8fa9ea5389600f394

SHA256
9f530aacaea194a56c9760e6bb6ec6c07b6d03e977df724e9b91acee099931f6

SHA512
50f6f14193ff5fa6ec799775446b772005a9c338216cad09187ae629d1ecb29bcb22acbf29f45db0cdb28088b0e82847ff7457f4c5023bfea7aa6c4c9bf44724

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
c245705ebc3bf9b4b83d15567095ca71

SHA1
89aac371f8f6ccd2e75caeef4d35f69efbbebfc0

SHA256
6d7cd5dea3496c008cbc7af7bb347e5c431250ac11ac1b74824bfbd52a0ddd30

SHA512
8f953d203819443c5a8212efa64831e9c3038262ecff121e2fb488e418325dd97a9f9e5ff4b80ee24eb286c9f9de0001653a74d07d285cb3d1dff68dd3369762

Download Submit
memory/364-3009-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/364-3007-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/728-1311-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/876-2121-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1076-1372-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1192-4220-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1196-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1196-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1196-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1352-2266-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1560-3194-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1732-1072-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1732-2355-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1816-2539-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1868-1006-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1868-2284-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2032-3688-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-2653-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2336-2850-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-2358-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2580-2281-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2680-854-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2680-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2736-2059-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2996-1980-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3112-90-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3112-84-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3160-1781-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3164-0-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/3164-37-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/3164-36-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3164-43-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3220-2680-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3220-2685-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3232-2860-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3292-1168-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3360-1981-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3432-1493-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3468-2274-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3468-945-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3524-2672-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3548-1574-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3792-1249-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3996-1903-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4048-2265-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4132-2870-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4376-1310-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4392-2253-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4448-2282-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-1637-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4736-3022-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4736-3018-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4832-1575-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5044-1709-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5060-2881-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5092-2511-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5092-2273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-3128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-3133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5128-2359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5128-2360-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/5264-2622-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5280-2380-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5340-2665-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5340-2662-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5356-2390-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5392-2643-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5416-2400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5476-2411-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5488-2988-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5540-2421-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5548-2996-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5712-2476-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5808-2769-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5808-2956-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6012-3121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6056-2530-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download