Analysis
-
max time kernel
73s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 08:49
Behavioral task
behavioral1
Sample
a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
a8cf99dc570fa2e2c8eb482abb38cd69
-
SHA1
d7cfb1783636b0d305a108374c9eacc7e3d3a5c6
-
SHA256
a95d6d17977c55729b6b5a3e2826b0b4cbafbb78279ea5daf7e8bab878e24408
-
SHA512
4c4b78250362eece098e79dd9aabe1e892fa72ade9db2ed088eebc86f1ce552b622deebd01fcd39fdcef72e11926a42c639d8c89864dfe30527aa7ad42e68f7e
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl5:86SIROiFJiwp0xlrl5
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 804 explorer.exe 516 explorer.exe 2404 explorer.exe 932 spoolsv.exe 1948 spoolsv.exe 1444 spoolsv.exe 1512 spoolsv.exe 1672 spoolsv.exe 1116 spoolsv.exe 2052 spoolsv.exe 692 spoolsv.exe 2384 spoolsv.exe 2300 spoolsv.exe 2944 spoolsv.exe 876 spoolsv.exe 884 spoolsv.exe 2076 spoolsv.exe 2604 spoolsv.exe 2200 spoolsv.exe 756 spoolsv.exe 112 spoolsv.exe 2540 spoolsv.exe 1952 spoolsv.exe 2792 spoolsv.exe 2360 spoolsv.exe 1968 spoolsv.exe 1908 spoolsv.exe 872 spoolsv.exe 2064 spoolsv.exe 2932 spoolsv.exe 2836 spoolsv.exe 2184 spoolsv.exe 2312 spoolsv.exe 892 spoolsv.exe 2608 spoolsv.exe 672 spoolsv.exe 1540 spoolsv.exe 1276 spoolsv.exe 2428 spoolsv.exe 2288 spoolsv.exe 2880 spoolsv.exe 1120 spoolsv.exe 1320 spoolsv.exe 2248 spoolsv.exe 2056 spoolsv.exe 1652 spoolsv.exe 2692 spoolsv.exe 1592 spoolsv.exe 2896 spoolsv.exe 752 spoolsv.exe 1612 spoolsv.exe 2400 spoolsv.exe 1792 spoolsv.exe 2672 spoolsv.exe 2804 spoolsv.exe 1500 spoolsv.exe 2072 spoolsv.exe 2228 spoolsv.exe 2860 spoolsv.exe 2716 spoolsv.exe 2496 spoolsv.exe 2036 spoolsv.exe 2564 spoolsv.exe 1756 spoolsv.exe -
Loads dropped DLL 64 IoCs
Processes:
a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2560 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe 2560 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe 2404 explorer.exe 2404 explorer.exe 932 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 1444 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 1672 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 2052 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 2384 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 2944 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 884 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 2604 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 756 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 2540 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 2792 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 1968 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 872 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 2932 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 2184 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 892 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 672 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 1276 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 2288 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 1120 spoolsv.exe 2404 explorer.exe 2404 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 54 IoCs
Processes:
a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exea8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 2084 set thread context of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 1308 set thread context of 2560 1308 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 804 set thread context of 516 804 explorer.exe explorer.exe PID 516 set thread context of 2404 516 explorer.exe explorer.exe PID 932 set thread context of 1948 932 spoolsv.exe spoolsv.exe PID 1444 set thread context of 1512 1444 spoolsv.exe spoolsv.exe PID 1672 set thread context of 1116 1672 spoolsv.exe spoolsv.exe PID 2052 set thread context of 692 2052 spoolsv.exe spoolsv.exe PID 2384 set thread context of 2300 2384 spoolsv.exe spoolsv.exe PID 2944 set thread context of 876 2944 spoolsv.exe spoolsv.exe PID 884 set thread context of 2076 884 spoolsv.exe spoolsv.exe PID 2604 set thread context of 2200 2604 spoolsv.exe spoolsv.exe PID 756 set thread context of 112 756 spoolsv.exe spoolsv.exe PID 2540 set thread context of 1952 2540 spoolsv.exe spoolsv.exe PID 2792 set thread context of 2360 2792 spoolsv.exe spoolsv.exe PID 1968 set thread context of 1908 1968 spoolsv.exe spoolsv.exe PID 872 set thread context of 2064 872 spoolsv.exe spoolsv.exe PID 2932 set thread context of 2836 2932 spoolsv.exe spoolsv.exe PID 2184 set thread context of 2312 2184 spoolsv.exe spoolsv.exe PID 892 set thread context of 2608 892 spoolsv.exe spoolsv.exe PID 672 set thread context of 1540 672 spoolsv.exe spoolsv.exe PID 1276 set thread context of 2428 1276 spoolsv.exe spoolsv.exe PID 2288 set thread context of 2880 2288 spoolsv.exe spoolsv.exe PID 1120 set thread context of 1320 1120 spoolsv.exe spoolsv.exe PID 2248 set thread context of 2056 2248 spoolsv.exe spoolsv.exe PID 1652 set thread context of 2692 1652 spoolsv.exe spoolsv.exe PID 1592 set thread context of 2896 1592 spoolsv.exe spoolsv.exe PID 752 set thread context of 1612 752 spoolsv.exe spoolsv.exe PID 2400 set thread context of 1792 2400 spoolsv.exe spoolsv.exe PID 2672 set thread context of 2804 2672 spoolsv.exe spoolsv.exe PID 1500 set thread context of 2072 1500 spoolsv.exe spoolsv.exe PID 2228 set thread context of 2860 2228 spoolsv.exe spoolsv.exe PID 2716 set thread context of 2496 2716 spoolsv.exe spoolsv.exe PID 2036 set thread context of 2564 2036 spoolsv.exe spoolsv.exe PID 1756 set thread context of 788 1756 spoolsv.exe spoolsv.exe PID 1616 set thread context of 2272 1616 spoolsv.exe spoolsv.exe PID 1132 set thread context of 2556 1132 spoolsv.exe spoolsv.exe PID 532 set thread context of 2844 532 spoolsv.exe spoolsv.exe PID 1532 set thread context of 1312 1532 spoolsv.exe spoolsv.exe PID 2904 set thread context of 2036 2904 spoolsv.exe spoolsv.exe PID 2196 set thread context of 940 2196 spoolsv.exe spoolsv.exe PID 2784 set thread context of 2368 2784 spoolsv.exe spoolsv.exe PID 2476 set thread context of 1932 2476 spoolsv.exe spoolsv.exe PID 2228 set thread context of 840 2228 spoolsv.exe spoolsv.exe PID 2800 set thread context of 2700 2800 spoolsv.exe spoolsv.exe PID 1688 set thread context of 2684 1688 spoolsv.exe spoolsv.exe PID 1396 set thread context of 396 1396 spoolsv.exe spoolsv.exe PID 1500 set thread context of 2132 1500 spoolsv.exe spoolsv.exe PID 2112 set thread context of 1428 2112 spoolsv.exe spoolsv.exe PID 1784 set thread context of 364 1784 spoolsv.exe spoolsv.exe PID 660 set thread context of 2672 660 spoolsv.exe spoolsv.exe PID 1984 set thread context of 1696 1984 spoolsv.exe spoolsv.exe PID 1940 set thread context of 2304 1940 spoolsv.exe spoolsv.exe PID 2516 set thread context of 560 2516 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exeexplorer.exepid process 2560 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe 2404 explorer.exe -
Suspicious use of SetWindowsHookEx 58 IoCs
Processes:
a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exea8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe 2560 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe 2560 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe 804 explorer.exe 2404 explorer.exe 2404 explorer.exe 932 spoolsv.exe 2404 explorer.exe 2404 explorer.exe 1444 spoolsv.exe 1672 spoolsv.exe 2052 spoolsv.exe 2384 spoolsv.exe 2944 spoolsv.exe 884 spoolsv.exe 2604 spoolsv.exe 756 spoolsv.exe 2540 spoolsv.exe 2792 spoolsv.exe 1968 spoolsv.exe 872 spoolsv.exe 2932 spoolsv.exe 2184 spoolsv.exe 892 spoolsv.exe 672 spoolsv.exe 1276 spoolsv.exe 2288 spoolsv.exe 1120 spoolsv.exe 2248 spoolsv.exe 1652 spoolsv.exe 1592 spoolsv.exe 752 spoolsv.exe 2400 spoolsv.exe 2672 spoolsv.exe 1500 spoolsv.exe 2228 spoolsv.exe 2716 spoolsv.exe 2036 spoolsv.exe 1756 spoolsv.exe 1616 spoolsv.exe 1132 spoolsv.exe 532 spoolsv.exe 1532 spoolsv.exe 2904 spoolsv.exe 2196 spoolsv.exe 2784 spoolsv.exe 2476 spoolsv.exe 2228 spoolsv.exe 2800 spoolsv.exe 1688 spoolsv.exe 1396 spoolsv.exe 1500 spoolsv.exe 2112 spoolsv.exe 1784 spoolsv.exe 660 spoolsv.exe 1984 spoolsv.exe 1940 spoolsv.exe 2516 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exea8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exea8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exedescription pid process target process PID 2084 wrote to memory of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 2084 wrote to memory of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 2084 wrote to memory of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 2084 wrote to memory of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 2084 wrote to memory of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 2084 wrote to memory of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 2084 wrote to memory of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 2084 wrote to memory of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 2084 wrote to memory of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 2084 wrote to memory of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 2084 wrote to memory of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 2084 wrote to memory of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 2084 wrote to memory of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 2084 wrote to memory of 1308 2084 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 1308 wrote to memory of 2144 1308 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe splwow64.exe PID 1308 wrote to memory of 2144 1308 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe splwow64.exe PID 1308 wrote to memory of 2144 1308 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe splwow64.exe PID 1308 wrote to memory of 2144 1308 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe splwow64.exe PID 1308 wrote to memory of 2560 1308 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 1308 wrote to memory of 2560 1308 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 1308 wrote to memory of 2560 1308 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 1308 wrote to memory of 2560 1308 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 1308 wrote to memory of 2560 1308 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 1308 wrote to memory of 2560 1308 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe PID 2560 wrote to memory of 804 2560 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe explorer.exe PID 2560 wrote to memory of 804 2560 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe explorer.exe PID 2560 wrote to memory of 804 2560 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe explorer.exe PID 2560 wrote to memory of 804 2560 a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe explorer.exe PID 804 wrote to memory of 516 804 explorer.exe explorer.exe PID 804 wrote to memory of 516 804 explorer.exe explorer.exe PID 804 wrote to memory of 516 804 explorer.exe explorer.exe PID 804 wrote to memory of 516 804 explorer.exe explorer.exe PID 804 wrote to memory of 516 804 explorer.exe explorer.exe PID 804 wrote to memory of 516 804 explorer.exe explorer.exe PID 804 wrote to memory of 516 804 explorer.exe explorer.exe PID 804 wrote to memory of 516 804 explorer.exe explorer.exe PID 804 wrote to memory of 516 804 explorer.exe explorer.exe PID 804 wrote to memory of 516 804 explorer.exe explorer.exe PID 804 wrote to memory of 516 804 explorer.exe explorer.exe PID 804 wrote to memory of 516 804 explorer.exe explorer.exe PID 804 wrote to memory of 516 804 explorer.exe explorer.exe PID 804 wrote to memory of 516 804 explorer.exe explorer.exe PID 516 wrote to memory of 2404 516 explorer.exe explorer.exe PID 516 wrote to memory of 2404 516 explorer.exe explorer.exe PID 516 wrote to memory of 2404 516 explorer.exe explorer.exe PID 516 wrote to memory of 2404 516 explorer.exe explorer.exe PID 516 wrote to memory of 2404 516 explorer.exe explorer.exe PID 516 wrote to memory of 2404 516 explorer.exe explorer.exe PID 2404 wrote to memory of 932 2404 explorer.exe spoolsv.exe PID 2404 wrote to memory of 932 2404 explorer.exe spoolsv.exe PID 2404 wrote to memory of 932 2404 explorer.exe spoolsv.exe PID 2404 wrote to memory of 932 2404 explorer.exe spoolsv.exe PID 932 wrote to memory of 1948 932 spoolsv.exe spoolsv.exe PID 932 wrote to memory of 1948 932 spoolsv.exe spoolsv.exe PID 932 wrote to memory of 1948 932 spoolsv.exe spoolsv.exe PID 932 wrote to memory of 1948 932 spoolsv.exe spoolsv.exe PID 932 wrote to memory of 1948 932 spoolsv.exe spoolsv.exe PID 932 wrote to memory of 1948 932 spoolsv.exe spoolsv.exe PID 932 wrote to memory of 1948 932 spoolsv.exe spoolsv.exe PID 932 wrote to memory of 1948 932 spoolsv.exe spoolsv.exe PID 932 wrote to memory of 1948 932 spoolsv.exe spoolsv.exe PID 932 wrote to memory of 1948 932 spoolsv.exe spoolsv.exe PID 932 wrote to memory of 1948 932 spoolsv.exe spoolsv.exe PID 932 wrote to memory of 1948 932 spoolsv.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Users\Admin\AppData\Local\Temp\a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8cf99dc570fa2e2c8eb482abb38cd69_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUDFilesize
56KB
MD5bd72dcf1083b6e22ccbfa0e8e27fb1e0
SHA13fd23d4f14da768da7b8364d74c54932d704e74e
SHA25690f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1
SHA51272360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562
-
\Windows\system\explorer.exeFilesize
2.6MB
MD5f3cd0da754f860dd06a19bd182e0110a
SHA181d0e05589e81586652c003cfe750d55f4c4d8bd
SHA25637d32468c8889856e992b26f67eaf087fe9fdaa7cc00503fd52fae681452cb48
SHA51223a028a99f8f73844a029969e90b1c429c6eb7ffee4056b7fbfbc3b39feb1411afc742c8812964f107f4d545cbba65d37d7f6a9cdb60f475b1eba48859e0a4d4
-
\Windows\system\spoolsv.exeFilesize
2.6MB
MD52902e9c2ba165a3c164fb95e1cc4e1ed
SHA137f0c2ad3a4418b544cf6f90ce70342c7b24b455
SHA2568cecb5e8a0b06064988c2540125a0d496f486917a55b460994ed9e8d90044324
SHA5120a5f2c029cac1c28cd211ed77cfe0a91aa0f777ecea08c69a985cf8241695d0ec735f030b2708580db57039b1c2581b3628737fec9fda274dd0059e47b1a5f55
-
memory/516-74-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/516-52-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/516-82-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/516-54-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/804-53-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/804-48-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1120-4012-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1268-3811-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1308-7-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1308-32-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1308-19-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1308-6-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1308-5-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1308-4-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1308-3-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1360-3744-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1488-3609-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1488-3621-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1948-102-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2084-2-0x0000000000407000-0x0000000000408000-memory.dmpFilesize
4KB
-
memory/2560-25-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2560-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2560-30-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2560-57-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2560-21-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2620-4234-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3108-3769-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3180-3698-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3224-3935-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3396-4092-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3588-3638-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3808-3725-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/3824-4180-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4120-3841-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4248-4049-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4380-3825-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4500-4212-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4524-4151-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4560-4308-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4740-4283-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4804-3860-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4980-3956-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4984-4124-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4984-4130-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5040-3989-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB