pony | 259f7eb49f70f1bd6d4211773390d386e3306c8e031e1b8b8e99aa0b5a2111f2

General

Target

05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
Size

2.6MB
MD5

05de19657d326d7697ee0f49649e48cd
SHA1

777641f21ff7d667302389d8ee920597ac64dc1f
SHA256

259f7eb49f70f1bd6d4211773390d386e3306c8e031e1b8b8e99aa0b5a2111f2
SHA512

d5ba1f24ff0999b2edfb1356c21651fe2cc0f2f1d9cc5c8c0cc19e16254c19d8e1ff14855441f03a1a1a11119e721e950ca40b9d32a8804a22e336c541085cab
SSDEEP

49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlQ:86SIROiFJiwp0xlrlQ

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

C2

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2568	explorer.exe
2300	explorer.exe
1684	explorer.exe
2428	spoolsv.exe
1320	spoolsv.exe
2484	spoolsv.exe
2944	spoolsv.exe
264	spoolsv.exe
1264	spoolsv.exe
2988	spoolsv.exe
2956	spoolsv.exe
1796	spoolsv.exe
2924	spoolsv.exe
308	spoolsv.exe
2840	spoolsv.exe
2232	spoolsv.exe
2916	spoolsv.exe
2912	spoolsv.exe
2532	spoolsv.exe
1196	spoolsv.exe
2680	spoolsv.exe
2168	spoolsv.exe
1876	spoolsv.exe
2736	spoolsv.exe
2392	spoolsv.exe
2060	spoolsv.exe
584	spoolsv.exe
828	spoolsv.exe
956	spoolsv.exe
1948	spoolsv.exe
2420	spoolsv.exe
2968	spoolsv.exe
2296	spoolsv.exe
2160	spoolsv.exe
2704	spoolsv.exe
3016	spoolsv.exe
352	spoolsv.exe
2896	spoolsv.exe
1640	spoolsv.exe
1280	spoolsv.exe
2872	spoolsv.exe
2012	spoolsv.exe
1864	spoolsv.exe
1404	spoolsv.exe
1660	spoolsv.exe
1964	spoolsv.exe
1124	spoolsv.exe
1996	spoolsv.exe
1852	spoolsv.exe
2556	spoolsv.exe
2552	spoolsv.exe
2604	spoolsv.exe
1044	spoolsv.exe
2572	spoolsv.exe
1768	spoolsv.exe
2164	spoolsv.exe
2012	spoolsv.exe
1776	spoolsv.exe
2468	spoolsv.exe
1812	spoolsv.exe
1720	spoolsv.exe
2788	spoolsv.exe
2160	spoolsv.exe
2708	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2524	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
2524	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
1684	explorer.exe
1684	explorer.exe
2428	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
2484	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
264	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
2988	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
1796	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
308	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
2232	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
2912	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
1196	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
2168	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
2736	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
2060	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
828	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
1948	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
2968	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
2160	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
3016	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
2896	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
1280	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
2012	spoolsv.exe
1684	explorer.exe
1684	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2460 set thread context of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 1740 set thread context of 2524	1740	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2568 set thread context of 2300	2568	explorer.exe	explorer.exe
PID 2300 set thread context of 1684	2300	explorer.exe	explorer.exe
PID 2428 set thread context of 1320	2428	spoolsv.exe	spoolsv.exe
PID 2484 set thread context of 2944	2484	spoolsv.exe	spoolsv.exe
PID 264 set thread context of 1264	264	spoolsv.exe	spoolsv.exe
PID 2988 set thread context of 2956	2988	spoolsv.exe	spoolsv.exe
PID 1796 set thread context of 2924	1796	spoolsv.exe	spoolsv.exe
PID 308 set thread context of 2840	308	spoolsv.exe	spoolsv.exe
PID 2232 set thread context of 2916	2232	spoolsv.exe	spoolsv.exe
PID 2912 set thread context of 2532	2912	spoolsv.exe	spoolsv.exe
PID 1196 set thread context of 2680	1196	spoolsv.exe	spoolsv.exe
PID 2168 set thread context of 1876	2168	spoolsv.exe	spoolsv.exe
PID 2736 set thread context of 2392	2736	spoolsv.exe	spoolsv.exe
PID 2060 set thread context of 584	2060	spoolsv.exe	spoolsv.exe
PID 828 set thread context of 956	828	spoolsv.exe	spoolsv.exe
PID 1948 set thread context of 2420	1948	spoolsv.exe	spoolsv.exe
PID 2968 set thread context of 2296	2968	spoolsv.exe	spoolsv.exe
PID 2160 set thread context of 2704	2160	spoolsv.exe	spoolsv.exe
PID 3016 set thread context of 352	3016	spoolsv.exe	spoolsv.exe
PID 2896 set thread context of 1640	2896	spoolsv.exe	spoolsv.exe
PID 1280 set thread context of 2872	1280	spoolsv.exe	spoolsv.exe
PID 2012 set thread context of 1864	2012	spoolsv.exe	spoolsv.exe
PID 1404 set thread context of 1660	1404	spoolsv.exe	spoolsv.exe
PID 1964 set thread context of 1124	1964	spoolsv.exe	spoolsv.exe
PID 1996 set thread context of 1852	1996	spoolsv.exe	spoolsv.exe
PID 2556 set thread context of 2552	2556	spoolsv.exe	spoolsv.exe
PID 2604 set thread context of 1044	2604	spoolsv.exe	spoolsv.exe
PID 2572 set thread context of 1768	2572	spoolsv.exe	spoolsv.exe
PID 2164 set thread context of 2012	2164	spoolsv.exe	spoolsv.exe
PID 1776 set thread context of 2468	1776	spoolsv.exe	spoolsv.exe
PID 1812 set thread context of 1720	1812	spoolsv.exe	spoolsv.exe
PID 2788 set thread context of 2160	2788	spoolsv.exe	spoolsv.exe
PID 2708 set thread context of 2868	2708	spoolsv.exe	spoolsv.exe
PID 2688 set thread context of 2084	2688	spoolsv.exe	spoolsv.exe
PID 1180 set thread context of 1040	1180	spoolsv.exe	spoolsv.exe
PID 2988 set thread context of 2964	2988	spoolsv.exe	spoolsv.exe
PID 1564 set thread context of 2644	1564	spoolsv.exe	spoolsv.exe
PID 1672 set thread context of 2424	1672	spoolsv.exe	spoolsv.exe
PID 2800 set thread context of 2196	2800	spoolsv.exe	spoolsv.exe
PID 1400 set thread context of 2936	1400	spoolsv.exe	spoolsv.exe
PID 692 set thread context of 2904	692	spoolsv.exe	spoolsv.exe
PID 2404 set thread context of 2152	2404	spoolsv.exe	spoolsv.exe
PID 2608 set thread context of 3032	2608	spoolsv.exe	spoolsv.exe
PID 2972 set thread context of 2728	2972	spoolsv.exe	spoolsv.exe
PID 772 set thread context of 984	772	spoolsv.exe	spoolsv.exe
PID 1404 set thread context of 3040	1404	spoolsv.exe	spoolsv.exe
PID 2784 set thread context of 2764	2784	spoolsv.exe	spoolsv.exe
PID 2608 set thread context of 2604	2608	spoolsv.exe	spoolsv.exe
PID 2112 set thread context of 484	2112	spoolsv.exe	spoolsv.exe
PID 764 set thread context of 1572	764	spoolsv.exe	spoolsv.exe
PID 1724 set thread context of 2788	1724	spoolsv.exe	spoolsv.exe
PID 2520 set thread context of 376	2520	spoolsv.exe	spoolsv.exe
PID 1200 set thread context of 332	1200	spoolsv.exe	spoolsv.exe
PID 568 set thread context of 2980	568	spoolsv.exe	spoolsv.exe
PID 2460 set thread context of 1704	2460	spoolsv.exe	spoolsv.exe
PID 2556 set thread context of 2688	2556	spoolsv.exe	spoolsv.exe
PID 2060 set thread context of 1328	2060	spoolsv.exe	spoolsv.exe
PID 1756 set thread context of 2784	1756	spoolsv.exe	spoolsv.exe
PID 1608 set thread context of 2556	1608	spoolsv.exe	spoolsv.exe
PID 1200 set thread context of 1944	1200	spoolsv.exe	spoolsv.exe
PID 1056 set thread context of 3016	1056	spoolsv.exe	spoolsv.exe
PID 2888 set thread context of 836	2888	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exeexplorer.exe

pid	process
2524	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe
1684	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1684 explorer.exe

pid	process
1684	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
2524	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
2524	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
2568	explorer.exe
1684	explorer.exe
1684	explorer.exe
2428	spoolsv.exe
1684	explorer.exe
1684	explorer.exe
2484	spoolsv.exe
264	spoolsv.exe
2988	spoolsv.exe
1796	spoolsv.exe
308	spoolsv.exe
2232	spoolsv.exe
2912	spoolsv.exe
1196	spoolsv.exe
2168	spoolsv.exe
2736	spoolsv.exe
2060	spoolsv.exe
828	spoolsv.exe
1948	spoolsv.exe
2968	spoolsv.exe
2160	spoolsv.exe
3016	spoolsv.exe
2896	spoolsv.exe
1280	spoolsv.exe
2012	spoolsv.exe
1404	spoolsv.exe
1964	spoolsv.exe
1996	spoolsv.exe
2556	spoolsv.exe
2604	spoolsv.exe
2572	spoolsv.exe
2164	spoolsv.exe
1776	spoolsv.exe
1812	spoolsv.exe
2788	spoolsv.exe
2708	spoolsv.exe
2688	spoolsv.exe
1180	spoolsv.exe
2988	spoolsv.exe
1564	spoolsv.exe
1672	spoolsv.exe
2800	spoolsv.exe
1400	spoolsv.exe
692	spoolsv.exe
2404	spoolsv.exe
2608	spoolsv.exe
2972	spoolsv.exe
772	spoolsv.exe
1404	spoolsv.exe
2784	spoolsv.exe
2608	spoolsv.exe
2112	spoolsv.exe
764	spoolsv.exe
1724	spoolsv.exe
2520	spoolsv.exe
1200	spoolsv.exe
568	spoolsv.exe
2460	spoolsv.exe
2556	spoolsv.exe
2060	spoolsv.exe
1756	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 2460 wrote to memory of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2460 wrote to memory of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2460 wrote to memory of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2460 wrote to memory of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2460 wrote to memory of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2460 wrote to memory of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2460 wrote to memory of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2460 wrote to memory of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2460 wrote to memory of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2460 wrote to memory of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2460 wrote to memory of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2460 wrote to memory of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2460 wrote to memory of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2460 wrote to memory of 1740	2460	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 1740 wrote to memory of 3048	1740	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	splwow64.exe
PID 1740 wrote to memory of 3048	1740	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	splwow64.exe
PID 1740 wrote to memory of 3048	1740	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	splwow64.exe
PID 1740 wrote to memory of 3048	1740	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	splwow64.exe
PID 1740 wrote to memory of 2524	1740	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 1740 wrote to memory of 2524	1740	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 1740 wrote to memory of 2524	1740	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 1740 wrote to memory of 2524	1740	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 1740 wrote to memory of 2524	1740	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 1740 wrote to memory of 2524	1740	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
PID 2524 wrote to memory of 2568	2524	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	explorer.exe
PID 2524 wrote to memory of 2568	2524	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	explorer.exe
PID 2524 wrote to memory of 2568	2524	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	explorer.exe
PID 2524 wrote to memory of 2568	2524	05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe	explorer.exe
PID 2568 wrote to memory of 2300	2568	explorer.exe	explorer.exe
PID 2568 wrote to memory of 2300	2568	explorer.exe	explorer.exe
PID 2568 wrote to memory of 2300	2568	explorer.exe	explorer.exe
PID 2568 wrote to memory of 2300	2568	explorer.exe	explorer.exe
PID 2568 wrote to memory of 2300	2568	explorer.exe	explorer.exe
PID 2568 wrote to memory of 2300	2568	explorer.exe	explorer.exe
PID 2568 wrote to memory of 2300	2568	explorer.exe	explorer.exe
PID 2568 wrote to memory of 2300	2568	explorer.exe	explorer.exe
PID 2568 wrote to memory of 2300	2568	explorer.exe	explorer.exe
PID 2568 wrote to memory of 2300	2568	explorer.exe	explorer.exe
PID 2568 wrote to memory of 2300	2568	explorer.exe	explorer.exe
PID 2568 wrote to memory of 2300	2568	explorer.exe	explorer.exe
PID 2568 wrote to memory of 2300	2568	explorer.exe	explorer.exe
PID 2568 wrote to memory of 2300	2568	explorer.exe	explorer.exe
PID 2300 wrote to memory of 1684	2300	explorer.exe	explorer.exe
PID 2300 wrote to memory of 1684	2300	explorer.exe	explorer.exe
PID 2300 wrote to memory of 1684	2300	explorer.exe	explorer.exe
PID 2300 wrote to memory of 1684	2300	explorer.exe	explorer.exe
PID 2300 wrote to memory of 1684	2300	explorer.exe	explorer.exe
PID 2300 wrote to memory of 1684	2300	explorer.exe	explorer.exe
PID 1684 wrote to memory of 2428	1684	explorer.exe	spoolsv.exe
PID 1684 wrote to memory of 2428	1684	explorer.exe	spoolsv.exe
PID 1684 wrote to memory of 2428	1684	explorer.exe	spoolsv.exe
PID 1684 wrote to memory of 2428	1684	explorer.exe	spoolsv.exe
PID 2428 wrote to memory of 1320	2428	spoolsv.exe	spoolsv.exe
PID 2428 wrote to memory of 1320	2428	spoolsv.exe	spoolsv.exe
PID 2428 wrote to memory of 1320	2428	spoolsv.exe	spoolsv.exe
PID 2428 wrote to memory of 1320	2428	spoolsv.exe	spoolsv.exe
PID 2428 wrote to memory of 1320	2428	spoolsv.exe	spoolsv.exe
PID 2428 wrote to memory of 1320	2428	spoolsv.exe	spoolsv.exe
PID 2428 wrote to memory of 1320	2428	spoolsv.exe	spoolsv.exe
PID 2428 wrote to memory of 1320	2428	spoolsv.exe	spoolsv.exe
PID 2428 wrote to memory of 1320	2428	spoolsv.exe	spoolsv.exe
PID 2428 wrote to memory of 1320	2428	spoolsv.exe	spoolsv.exe
PID 2428 wrote to memory of 1320	2428	spoolsv.exe	spoolsv.exe
PID 2428 wrote to memory of 1320	2428	spoolsv.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460

C:\Users\Admin\AppData\Local\Temp\05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05de19657d326d7697ee0f49649e48cd_JaffaCakes118.exe"
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1320

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2944

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1264

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2956

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2924

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2840

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2916

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2532

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4688

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:2016

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2680

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:956

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2296

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1640

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2552

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:1044

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1768

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1720

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Executes dropped EXE
PID:2160

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2868

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2084

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2424

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2764

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2788

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:376

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:7056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
PID:1200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
PID:1056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1404

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:576

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1608

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:1988

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3280

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:7052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3468

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:7032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3608

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:1292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3244

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:7060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:3448

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:3928

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3764

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:4848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:3416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:3644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:3852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:3724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3948

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4080

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:3300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:3268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3444

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:3552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:3344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:3924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:1500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3424

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3376

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3212

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:3680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3360

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:5776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:3884

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4144

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:7100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4652

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:4764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4836

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:7024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:5108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4488

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:4748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:5040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:5048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4712

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:4988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:3504

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:1672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:5088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:4260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:5088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4752

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:6292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
- Drops file in Windows directory
PID:4992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:4516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4708

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
9⤵
PID:3492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:4372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:4572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:5104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:5036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:4756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:5380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
8⤵
PID:5868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:6916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:6832

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

4

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD
Filesize
56KB

MD5
bd72dcf1083b6e22ccbfa0e8e27fb1e0

SHA1
3fd23d4f14da768da7b8364d74c54932d704e74e

SHA256
90f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1

SHA512
72360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562

Download Submit
C:\Windows\system\explorer.exe
Filesize
2.6MB

MD5
0e1e289771b8edbe8e3d12be8263fe8c

SHA1
85208a3a59bf461b7999d63a4ac13306571072ff

SHA256
57662225a6e24505b2653ce94195d118b5fc4496276c70cd3c91e853b2a4a711

SHA512
b5ed20f2e75587f5a1e49da304b6ef33a5da10c8b077ad4a2c8ae2ecd13cb7e30ff04b95b98e0f6887f5b968f8ed507da30af588a4ac6900572b94a512f72d85

Download Submit
\Windows\system\spoolsv.exe
Filesize
2.6MB

MD5
d1665df3920561caef8da3181af29a4d

SHA1
e0ece40540e660487a0619410d63ccf720f8a3be

SHA256
4c13b2bceb13a3e34e0ce0fccf7a9c6e2c12eda826087d1e0d4df29e60a5a091

SHA512
1c4229f168b5c0ac45f281465e502992a79a089a536fdee7fc10bb0117ea278f7d8f2f6cae0883d2175368bc7d6c760fcd8bcb8e76330f7a170617743a1c34c5

Download Submit
memory/900-5843-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/900-5875-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1292-6252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1320-109-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1636-5789-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1740-4-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1740-25-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1740-8-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1740-3-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1740-40-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1740-7-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1740-27-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1740-6-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2300-88-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2300-64-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2300-61-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2300-81-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2460-5-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2460-2-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2524-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2524-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2524-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2524-42-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2524-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2524-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2568-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2568-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3412-6133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4212-5765-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-5653-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4268-5670-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4360-5730-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4376-5778-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4376-5750-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4476-5985-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4476-5967-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4608-5698-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-5629-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4688-5872-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4688-5713-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4760-5665-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5200-5863-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5468-5828-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5532-5913-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5776-6308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6040-5888-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6708-6081-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6776-6000-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6984-6118-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7024-6273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads