Analysis Overview
SHA256
92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452
Threat Level: Known bad
The file 92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452 was found to be: Known bad.
Malicious Activity Summary
Pony family
Modifies visiblity of hidden/system files in Explorer
Modifies WinLogon for persistence
Pony,Fareit
Boot or Logon Autostart Execution: Active Setup
Drops startup file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 00:36
Signatures
Pony family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 00:36
Reported
2024-11-13 00:39
Platform
win7-20240903-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
Pony family
Pony,Fareit
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1984 set thread context of 2712 | N/A | C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe |
| PID 2652 set thread context of 1936 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe
"C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe
"C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
Network
Files
memory/1984-0-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Windows\Parameters.ini
| MD5 | 6687785d6a31cdf9a5f80acb3abc459b |
| SHA1 | 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9 |
| SHA256 | 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b |
| SHA512 | 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962 |
memory/1984-17-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1984-16-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2712-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2712-25-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1984-27-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2712-29-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2712-19-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | d05139d77e933e726a1ca1c8f971a936 |
| SHA1 | c1c8e55c97aee5cfd86783dc07af904450cc7391 |
| SHA256 | 9af5c5ff94ec9f8dbee4cf613443d49bc2e11338189e807f75adc4c07b279e87 |
| SHA512 | d392762df36ca8d60693c2b8c02095b568f7dd30e8dcfee84fa2080db02cf6ea791ae31f0e42e7fa41a5adb5bd6b4cdd919b56e9c3798b7e4983860ecb152239 |
memory/2652-42-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2712-50-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2652-61-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2652-70-0x0000000000400000-0x00000000005D3000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 4c5b68f1f564aebe03f011c5ea734fd8 |
| SHA1 | 29392345a22424981f9c82a8c4372326da747755 |
| SHA256 | 8bd065bc9c241d5b60bc841be8be0a06f8b6babbe853cef479cdfe3427d35cf0 |
| SHA512 | c9073dfcc944e480b53c7bdf690967efebdfd0c0b970fa2d7eb40ec70f3ff1f3e3ac3c59c4464f9265a7d103d99df3f9c4e8da4a4e3b0a0226bb37aed825227a |
C:\Windows\Parameters.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1936-1425-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1996-1426-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1044-1615-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2960-1805-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1616-1806-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2280-1987-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1568-1988-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2008-2152-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/592-2153-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1488-2308-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1812-2316-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2444-2310-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1752-2309-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2184-2442-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1160-2447-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2904-2446-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1704-2445-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2456-2444-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2876-2443-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/888-2558-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1772-2562-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2704-2561-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1712-2560-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1372-2559-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1920-2671-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1036-2675-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1576-2674-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1792-2673-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1060-2672-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2604-2785-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1980-2786-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3116-4061-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3572-4079-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3692-4090-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3984-4153-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3992-4167-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3204-4192-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4736-4232-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5200-4376-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5192-4336-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5636-4574-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5752-4615-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5484-4735-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5264-4803-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 00:36
Reported
2024-11-13 00:39
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
137s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
Pony family
Pony,Fareit
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Parameters.ini | \??\c:\windows\system\spoolsv.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe
"C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe
"C:\Users\Admin\AppData\Local\Temp\92c20694d536fab3b621929d1822e79d9b87ce49dc5248e6bf4d0f3a85903452.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/3152-0-0x00000000007E0000-0x00000000007E1000-memory.dmp
C:\Windows\Parameters.ini
| MD5 | 6687785d6a31cdf9a5f80acb3abc459b |
| SHA1 | 1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9 |
| SHA256 | 3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b |
| SHA512 | 5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962 |
memory/3152-42-0x00000000007E0000-0x00000000007E1000-memory.dmp
memory/3152-41-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3380-44-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3380-45-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3152-49-0x0000000000400000-0x00000000005D3000-memory.dmp
\??\c:\windows\system\explorer.exe
| MD5 | 371e430a29098e2585ce1a899236a38a |
| SHA1 | c1ed586f0fbea91a5faec40d3ed529cdc0f1955f |
| SHA256 | 9efcb7edf8c65d147e3e4b1db574e675ab4dd4e0a547bc65ec8980454f1af9d9 |
| SHA512 | 34221394bbbf78a7418823b071530b801b80c708f457872ff73a48363a3d0c4c1ba5b73ddd6a6f4cbbcc28285b3bb1e92ddd74e120755d8731065ef07b32cab3 |
memory/3380-72-0x0000000000440000-0x0000000000509000-memory.dmp
memory/3380-73-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4632-84-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5012-90-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4632-88-0x0000000000400000-0x00000000005D3000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | bfc340f60b396e349d38d8d7f487f832 |
| SHA1 | 50ab1f0ee3bd510d7a89f83912fa6e52a7e048fc |
| SHA256 | c6a7fed72fa9f60f765865f09a2f5a7f820b8fd6554ac9f010c01a5c3230eace |
| SHA512 | 98e642d86a1d39fca26372568b2738c6048b40c385aff814e0fc3a02952b92e4ed3fd75b2c47a60725b7904c3c12e08fc9dfc9c45c2dedfc3d278771d0885711 |
memory/5012-795-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5008-900-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1532-901-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1568-982-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1108-1053-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2316-1169-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2428-1300-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2916-1516-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2836-1712-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/400-1713-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/696-1832-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4708-1898-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1824-1951-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2912-1988-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1464-1989-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3680-2056-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3880-2073-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3068-2195-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4932-2196-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/548-2259-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3852-2258-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4136-2313-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4944-2312-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2568-2311-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/2824-2357-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3284-2360-0x0000000000400000-0x000000000043E000-memory.dmp
memory/860-2359-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5008-2361-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4840-2358-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1184-2356-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/1532-2421-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/5100-2423-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5100-2419-0x0000000000400000-0x000000000043E000-memory.dmp
memory/884-2418-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4764-2417-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/3652-2429-0x0000000000400000-0x00000000005D3000-memory.dmp
memory/4604-2431-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4604-2435-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3284-2462-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3544-2539-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1832-2549-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1832-2553-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4416-2570-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2980-2615-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4332-2712-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1956-2721-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1272-2732-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4384-2757-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4332-2871-0x0000000000400000-0x000000000043E000-memory.dmp
memory/856-2900-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4720-2909-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1700-2921-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4596-2948-0x0000000000400000-0x000000000043E000-memory.dmp
memory/404-2959-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1652-2972-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2588-2985-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4608-2999-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1808-3012-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4768-3048-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4424-3057-0x0000000000400000-0x000000000043E000-memory.dmp
memory/836-3035-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2268-3034-0x0000000000400000-0x000000000043E000-memory.dmp
memory/856-3031-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4832-3065-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3020-3090-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4352-3119-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4116-3178-0x0000000000400000-0x000000000043E000-memory.dmp
memory/388-3314-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4828-3343-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4424-3400-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4160-3502-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1620-3630-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5012-3770-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3192-3776-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4324-3876-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4468-4997-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3204-5006-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4980-5088-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4344-5098-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4804-5245-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3484-5412-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3488-5425-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5072-5430-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5072-5435-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3484-5548-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2548-5566-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1592-5789-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2124-5809-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1592-5921-0x0000000000400000-0x000000000043E000-memory.dmp