pony | cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931

Analysis

max time kernel
118s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2025, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe
Size

2.2MB
MD5

ab520768221a49b47d5f350d2f05e320
SHA1

f7809706e82860a26ceed1f2c10c1628e91df7e1
SHA256

cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931
SHA512

5561d8fc96ad335b4eb5529c9379a26250bf7d1a0bf77496f0641015375fd305b08f7502d64d471ea1d3b0049ef9ae56c60b8755dea6882f204281334eb0dd1c
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZv:0UzeyQMS4DqodCnoe+iitjWwwz

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe

Executes dropped EXE 64 IoCs

pid	Process
4156	explorer.exe
2928	explorer.exe
1668	spoolsv.exe
4356	spoolsv.exe
1272	spoolsv.exe
2484	spoolsv.exe
2336	spoolsv.exe
2352	spoolsv.exe
5116	spoolsv.exe
1036	spoolsv.exe
2384	spoolsv.exe
4324	spoolsv.exe
1112	spoolsv.exe
1800	spoolsv.exe
516	spoolsv.exe
628	spoolsv.exe
400	spoolsv.exe
1752	spoolsv.exe
1128	spoolsv.exe
3896	spoolsv.exe
2268	spoolsv.exe
3276	spoolsv.exe
3692	spoolsv.exe
4548	spoolsv.exe
2400	spoolsv.exe
4288	spoolsv.exe
4832	spoolsv.exe
840	spoolsv.exe
3512	spoolsv.exe
2892	spoolsv.exe
4004	spoolsv.exe
2132	spoolsv.exe
4144	explorer.exe
544	spoolsv.exe
432	spoolsv.exe
5076	spoolsv.exe
1984	spoolsv.exe
4608	spoolsv.exe
4696	spoolsv.exe
3784	explorer.exe
1728	spoolsv.exe
4988	spoolsv.exe
3184	spoolsv.exe
1580	spoolsv.exe
3308	spoolsv.exe
4328	spoolsv.exe
4752	explorer.exe
3604	spoolsv.exe
3484	spoolsv.exe
4808	spoolsv.exe
4720	spoolsv.exe
4800	spoolsv.exe
3108	explorer.exe
444	spoolsv.exe
5056	spoolsv.exe
392	spoolsv.exe
4492	spoolsv.exe
1812	spoolsv.exe
4996	spoolsv.exe
1468	spoolsv.exe
1204	explorer.exe
2328	spoolsv.exe
3620	spoolsv.exe
1032	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 33 IoCs

description	pid	Process	procid_target
PID 1376 set thread context of 4280	1376	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe	99
PID 4156 set thread context of 2928	4156	explorer.exe	104
PID 1668 set thread context of 2132	1668	spoolsv.exe	134
PID 4356 set thread context of 544	4356	spoolsv.exe	136
PID 1272 set thread context of 432	1272	spoolsv.exe	137
PID 2484 set thread context of 1984	2484	spoolsv.exe	139
PID 2336 set thread context of 4696	2336	spoolsv.exe	141
PID 2352 set thread context of 1728	2352	spoolsv.exe	143
PID 5116 set thread context of 4988	5116	spoolsv.exe	144
PID 1036 set thread context of 3184	1036	spoolsv.exe	145
PID 2384 set thread context of 1580	2384	spoolsv.exe	146
PID 4324 set thread context of 4328	4324	spoolsv.exe	148
PID 1112 set thread context of 3604	1112	spoolsv.exe	150
PID 1800 set thread context of 3484	1800	spoolsv.exe	151
PID 516 set thread context of 4720	516	spoolsv.exe	153
PID 628 set thread context of 4800	628	spoolsv.exe	154
PID 400 set thread context of 444	400	spoolsv.exe	156
PID 1752 set thread context of 5056	1752	spoolsv.exe	157
PID 1128 set thread context of 392	1128	spoolsv.exe	158
PID 3896 set thread context of 4492	3896	spoolsv.exe	159
PID 2268 set thread context of 4996	2268	spoolsv.exe	161
PID 3276 set thread context of 1468	3276	spoolsv.exe	162
PID 3692 set thread context of 2328	3692	spoolsv.exe	164
PID 4548 set thread context of 3620	4548	spoolsv.exe	165
PID 2400 set thread context of 4604	2400	spoolsv.exe	167
PID 4288 set thread context of 4892	4288	spoolsv.exe	168
PID 4832 set thread context of 1364	4832	spoolsv.exe	170
PID 840 set thread context of 4760	840	spoolsv.exe	171
PID 3512 set thread context of 3080	3512	spoolsv.exe	172
PID 2892 set thread context of 116	2892	spoolsv.exe	174
PID 4004 set thread context of 2612	4004	spoolsv.exe	178
PID 4144 set thread context of 4080	4144	explorer.exe	180
PID 5076 set thread context of 3092	5076	spoolsv.exe	182

Drops file in Windows directory 54 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4280	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe
4280	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4280	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe
4280	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2928	explorer.exe
2132	spoolsv.exe
2132	spoolsv.exe
544	spoolsv.exe
544	spoolsv.exe
432	spoolsv.exe
432	spoolsv.exe
1984	spoolsv.exe
1984	spoolsv.exe
4696	spoolsv.exe
4696	spoolsv.exe
1728	spoolsv.exe
1728	spoolsv.exe
4988	spoolsv.exe
4988	spoolsv.exe
3184	spoolsv.exe
3184	spoolsv.exe
1580	spoolsv.exe
1580	spoolsv.exe
4328	spoolsv.exe
4328	spoolsv.exe
3604	spoolsv.exe
3604	spoolsv.exe
3484	spoolsv.exe
3484	spoolsv.exe
4720	spoolsv.exe
4720	spoolsv.exe
4800	spoolsv.exe
4800	spoolsv.exe
444	spoolsv.exe
444	spoolsv.exe
5056	spoolsv.exe
5056	spoolsv.exe
392	spoolsv.exe
392	spoolsv.exe
4492	spoolsv.exe
4492	spoolsv.exe
4996	spoolsv.exe
4996	spoolsv.exe
1468	spoolsv.exe
1468	spoolsv.exe
2328	spoolsv.exe
2328	spoolsv.exe
3620	spoolsv.exe
3620	spoolsv.exe
4604	spoolsv.exe
4604	spoolsv.exe
4892	spoolsv.exe
4892	spoolsv.exe
1364	spoolsv.exe
1364	spoolsv.exe
4760	spoolsv.exe
4760	spoolsv.exe
3080	spoolsv.exe
3080	spoolsv.exe
116	spoolsv.exe
116	spoolsv.exe
2612	spoolsv.exe
2612	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 5044	1376	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe	82
PID 1376 wrote to memory of 5044	1376	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe	82
PID 1376 wrote to memory of 4280	1376	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe	99
PID 1376 wrote to memory of 4280	1376	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe	99
PID 1376 wrote to memory of 4280	1376	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe	99
PID 1376 wrote to memory of 4280	1376	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe	99
PID 1376 wrote to memory of 4280	1376	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe	99
PID 4280 wrote to memory of 4156	4280	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe	100
PID 4280 wrote to memory of 4156	4280	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe	100
PID 4280 wrote to memory of 4156	4280	cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe	100
PID 4156 wrote to memory of 2928	4156	explorer.exe	104
PID 4156 wrote to memory of 2928	4156	explorer.exe	104
PID 4156 wrote to memory of 2928	4156	explorer.exe	104
PID 4156 wrote to memory of 2928	4156	explorer.exe	104
PID 4156 wrote to memory of 2928	4156	explorer.exe	104
PID 2928 wrote to memory of 1668	2928	explorer.exe	105
PID 2928 wrote to memory of 1668	2928	explorer.exe	105
PID 2928 wrote to memory of 1668	2928	explorer.exe	105
PID 2928 wrote to memory of 4356	2928	explorer.exe	106
PID 2928 wrote to memory of 4356	2928	explorer.exe	106
PID 2928 wrote to memory of 4356	2928	explorer.exe	106
PID 2928 wrote to memory of 1272	2928	explorer.exe	107
PID 2928 wrote to memory of 1272	2928	explorer.exe	107
PID 2928 wrote to memory of 1272	2928	explorer.exe	107
PID 2928 wrote to memory of 2484	2928	explorer.exe	108
PID 2928 wrote to memory of 2484	2928	explorer.exe	108
PID 2928 wrote to memory of 2484	2928	explorer.exe	108
PID 2928 wrote to memory of 2336	2928	explorer.exe	109
PID 2928 wrote to memory of 2336	2928	explorer.exe	109
PID 2928 wrote to memory of 2336	2928	explorer.exe	109
PID 2928 wrote to memory of 2352	2928	explorer.exe	110
PID 2928 wrote to memory of 2352	2928	explorer.exe	110
PID 2928 wrote to memory of 2352	2928	explorer.exe	110
PID 2928 wrote to memory of 5116	2928	explorer.exe	111
PID 2928 wrote to memory of 5116	2928	explorer.exe	111
PID 2928 wrote to memory of 5116	2928	explorer.exe	111
PID 2928 wrote to memory of 1036	2928	explorer.exe	112
PID 2928 wrote to memory of 1036	2928	explorer.exe	112
PID 2928 wrote to memory of 1036	2928	explorer.exe	112
PID 2928 wrote to memory of 2384	2928	explorer.exe	113
PID 2928 wrote to memory of 2384	2928	explorer.exe	113
PID 2928 wrote to memory of 2384	2928	explorer.exe	113
PID 2928 wrote to memory of 4324	2928	explorer.exe	114
PID 2928 wrote to memory of 4324	2928	explorer.exe	114
PID 2928 wrote to memory of 4324	2928	explorer.exe	114
PID 2928 wrote to memory of 1112	2928	explorer.exe	115
PID 2928 wrote to memory of 1112	2928	explorer.exe	115
PID 2928 wrote to memory of 1112	2928	explorer.exe	115
PID 2928 wrote to memory of 1800	2928	explorer.exe	116
PID 2928 wrote to memory of 1800	2928	explorer.exe	116
PID 2928 wrote to memory of 1800	2928	explorer.exe	116
PID 2928 wrote to memory of 516	2928	explorer.exe	117
PID 2928 wrote to memory of 516	2928	explorer.exe	117
PID 2928 wrote to memory of 516	2928	explorer.exe	117
PID 2928 wrote to memory of 628	2928	explorer.exe	118
PID 2928 wrote to memory of 628	2928	explorer.exe	118
PID 2928 wrote to memory of 628	2928	explorer.exe	118
PID 2928 wrote to memory of 400	2928	explorer.exe	119
PID 2928 wrote to memory of 400	2928	explorer.exe	119
PID 2928 wrote to memory of 400	2928	explorer.exe	119
PID 2928 wrote to memory of 1752	2928	explorer.exe	120
PID 2928 wrote to memory of 1752	2928	explorer.exe	120
PID 2928 wrote to memory of 1752	2928	explorer.exe	120
PID 2928 wrote to memory of 1128	2928	explorer.exe	121

C:\Users\Admin\AppData\Local\Temp\cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe
"C:\Users\Admin\AppData\Local\Temp\cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe
  "C:\Users\Admin\AppData\Local\Temp\cfab9c98b929f36c3654de72b8e019ebec422bf3bf08ba9713b37bed1c592931N.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4280
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - \??\c:\windows\system\explorer.exe
      "c:\windows\system\explorer.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1668
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4144
        
        \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4356
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1272
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2484
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2336
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4696
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2352
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5116
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1036
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2384
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4324
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4328
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1112
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1800
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:516
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:628
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4800
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:400
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1752
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1128
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3896
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2268
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3276
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3692
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4548
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2400
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4288
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4892
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4832
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:840
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3512
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2892
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:116
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4004
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5076
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4608
      - \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        6⤵
        
        PID:4676
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        7⤵
        
        PID:5040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.2MB

MD5
3975ef9d110f715d9de2ee64830410ff

SHA1
6c13555008dece83642d1c92ef52ac46360d40c0

SHA256
8e7d0edcdc2c66e8cf732950797e86adebc5e58b43e84a45ff421fe299cecb4c

SHA512
e08749c111ac2dde0d7c49713ecf722781fe473ece99f793d8e8bec1c7038b6f4a4f3f7013723ac34325fe843d20221973f8c6e7bdad48bc4326c0426e2f86c5

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
644f6093e236f8e7196eea4679ca5d13

SHA1
6da69325314e2e2f9eab414c68b74584e3b1f729

SHA256
146821503bdbb9d6d0517cca4b0457b45f30fdb4408630825bb614bbfd299470

SHA512
55b9c7284d6d7cc0c465526eac16666a24a46884108e166afc24d2fa9ad62827d05db9a1b438c05e3d3eedd7a4188084dbe72b29d7a9142e290e9e94f1bd9c91

Download Submit
memory/116-3072-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/392-2433-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-1619-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/432-1879-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/444-2409-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/444-2412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/516-1490-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/544-1815-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/544-1820-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/544-1817-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/628-1542-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1036-1186-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1112-1371-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1128-1722-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1272-1881-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1272-871-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1376-47-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/1376-46-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1376-0-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/1376-54-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1468-2632-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1468-2807-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1580-2133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-719-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1668-1807-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1728-2062-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1752-1721-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1800-1423-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1984-1902-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-1898-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-1806-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-1969-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2268-1801-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2336-998-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2352-1089-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2384-1252-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2484-1900-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2484-927-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2612-3266-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-657-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-93-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3080-2856-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3080-2859-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3092-3394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3184-2083-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3276-1814-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3484-2241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3604-2230-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3604-2234-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3620-2651-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3620-2654-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3692-1873-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3896-1789-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4080-3219-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4156-88-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4156-94-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4280-50-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4280-82-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4280-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4324-1309-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4328-2221-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4328-2366-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4356-798-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4356-1818-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4492-2443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4548-1893-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4604-2737-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4604-2740-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4676-3460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-2048-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-2203-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4720-2384-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4720-2371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4760-2847-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4800-2600-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4800-2402-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4892-2830-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4988-2071-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4988-2075-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4996-2529-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5056-2423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5116-1140-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download