Overview

overview

10

Static

static

10

7468ad7ba9...3N.exe

windows7-x64

10

7468ad7ba9...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 05:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7468ad7ba9acd0f48e71dff5309426c8a1feb67210403ef81dc4067a69f4e7e3N.exe

  • Size

    2.2MB

  • MD5

    f67978169c82278db88186c9bd79a540

  • SHA1

    3db5542043f9c80a142cb6200c62c5714bbcd6ee

  • SHA256

    7468ad7ba9acd0f48e71dff5309426c8a1feb67210403ef81dc4067a69f4e7e3

  • SHA512

    d0637e26ff0c2326471ca010b861dd35a51ffca87c8e93b334e2f8d08362f127962b20c5b800cf40deaddb8d275e1102d9c9bd6264d4881ad9da146bece888ad

  • SSDEEP

    24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZl:0UzeyQMS4DqodCnoe+iitjWwwR

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes
  • payload_url

    http://don.service-master.eu/shit.exe

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops startup file 2 IoCs
  • Executes dropped EXE 64 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 34 IoCs
  • Drops file in Windows directory 56 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7468ad7ba9acd0f48e71dff5309426c8a1feb67210403ef81dc4067a69f4e7e3N.exe
    "C:\Users\Admin\AppData\Local\Temp\7468ad7ba9acd0f48e71dff5309426c8a1feb67210403ef81dc4067a69f4e7e3N.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:4876
      • C:\Users\Admin\AppData\Local\Temp\7468ad7ba9acd0f48e71dff5309426c8a1feb67210403ef81dc4067a69f4e7e3N.exe
        "C:\Users\Admin\AppData\Local\Temp\7468ad7ba9acd0f48e71dff5309426c8a1feb67210403ef81dc4067a69f4e7e3N.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1040
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:116
          • \??\c:\windows\system\explorer.exe
            "c:\windows\system\explorer.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4448
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2516
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3544
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:1560
                  • \??\c:\windows\system\explorer.exe
                    "c:\windows\system\explorer.exe"
                    8⤵
                    • System Location Discovery: System Language Discovery
                    PID:4844
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:852
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2072
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1868
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3724
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1108
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1964
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4568
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3524
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4396
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3212
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:876
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4860
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1612
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1916
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1744
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:3336
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4304
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4720
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4868
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:3960
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:800
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:3240
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4472
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1932
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:4284
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  PID:5060
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:3708
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2876
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:512
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2936
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4716
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3888
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4104
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1792
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:2672
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3984
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4420
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2596
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:4464
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4676
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4416
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1456
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3040
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4564
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:952
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4724
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1828
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:1732
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:1304
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2312
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:3004
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:452
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4300
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1776
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              PID:4972
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4460
                • \??\c:\windows\system\explorer.exe
                  c:\windows\system\explorer.exe
                  7⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:3164
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe SE
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Drops file in Windows directory
              PID:4320
              • \??\c:\windows\system\spoolsv.exe
                "c:\windows\system\spoolsv.exe"
                6⤵
                  PID:1160
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:2400
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:2136
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:2580
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:2772
                  • \??\c:\windows\system\explorer.exe
                    c:\windows\system\explorer.exe
                    7⤵
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:5020
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Drops file in Windows directory
                PID:2896
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                  • System Location Discovery: System Language Discovery
                  PID:3468
                  • \??\c:\windows\system\explorer.exe
                    c:\windows\system\explorer.exe
                    7⤵
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:4440
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe SE
                5⤵
                • Executes dropped EXE
                • Drops file in Windows directory
                • System Location Discovery: System Language Discovery
                PID:3688
                • \??\c:\windows\system\spoolsv.exe
                  "c:\windows\system\spoolsv.exe"
                  6⤵
                    PID:2544
                    • \??\c:\windows\system\explorer.exe
                      c:\windows\system\explorer.exe
                      7⤵
                        PID:116
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:916
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:1144
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    PID:3196
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Executes dropped EXE
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:632
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:2844
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:3516
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:3940
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:2472
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:3328
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:1740
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    PID:2292
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:2872
                  • \??\c:\windows\system\spoolsv.exe
                    c:\windows\system\spoolsv.exe SE
                    5⤵
                      PID:4480
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
              1⤵
                PID:3076

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windows\Parameters.ini
                Filesize

                74B

                MD5

                6687785d6a31cdf9a5f80acb3abc459b

                SHA1

                1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

                SHA256

                3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

                SHA512

                5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

                Download Submit

              • C:\Windows\System\explorer.exe
                Filesize

                2.2MB

                MD5

                eb700034d3c54b299c1f27122bd75bb4

                SHA1

                fd3f79d5c0272c82707cfd8814a2d9cd3d8d97e9

                SHA256

                0d59ed7ec21e867c0d033f6aa58ed3cf39c1e653f6cef01355011793c0e565ab

                SHA512

                619dbe1dacded035f6123170f7368fe19b4ca90a85a0819aed012e48874c53c7e710a110a068838b17f500b95b0bb55c543080e3a2915d5520c2b6c28b81d86b

                Download Submit

              • C:\Windows\System\spoolsv.exe
                Filesize

                2.2MB

                MD5

                c70168c2d4c8c51979b5e2ba404f8795

                SHA1

                6b0651377ddcd493fb1aaf5c6afcaab1398dbd4f

                SHA256

                b6d6760a0990a13633509e2ef581fe2873c1967976ee082f88b0c5fd1611ed88

                SHA512

                299003054cf9ff51dcd0d2cbdc6c27fd1eee1455afc34b255ad0e9e994ecc8e365268ca67e106d2ffa21a5d6f9a6dc1d12ef6af82fdf81b930564ce0d07b1443

                Download Submit

              • memory/116-95-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/116-90-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/452-3003-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/512-1924-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/852-1017-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/852-2196-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/952-2912-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/1040-79-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/1040-40-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/1040-39-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/1108-1129-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/1160-3175-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/1172-44-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/1172-36-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/1172-0-0x0000000002370000-0x0000000002371000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1172-37-0x0000000002370000-0x0000000002371000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1456-2183-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/1612-2377-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/1744-2387-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/1776-3076-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/1868-1128-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/1868-2204-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/1916-1418-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/1932-1774-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/1964-2279-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2072-2195-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2072-2197-0x0000000000440000-0x0000000000509000-memory.dmp

                Filesize

                804KB

                Download

              • memory/2072-2199-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2136-3254-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2312-2993-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2516-2187-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/2516-881-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/2596-2964-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2596-2881-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2672-2044-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/2772-3480-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2772-3347-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2876-2600-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2936-2610-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2936-2614-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/3040-2900-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/3212-2367-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/3212-2574-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/3240-1698-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/3336-1419-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/3468-3691-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/3524-2291-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/3544-2348-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/3708-1847-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/3724-2209-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/3888-2702-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/3960-1568-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/3984-2745-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/4104-1977-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/4284-2592-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/4284-2789-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/4304-2398-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/4396-1291-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/4416-2888-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/4420-2101-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/4448-96-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/4448-808-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/4460-3327-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/4460-3170-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/4472-2502-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/4564-2193-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/4568-1210-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/4676-2179-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/4716-1925-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/4720-1490-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/4724-2207-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/4844-3778-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/4860-1347-0x0000000000400000-0x00000000005D3000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/4868-2431-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download