Analysis
-
max time kernel
148s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 08:53
Behavioral task
behavioral1
Sample
a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
a8d3f01ac454a7a5f0eef16d22169eac
-
SHA1
ac08fb67f133c812db7d6fed41eda1a813d8d53a
-
SHA256
151e3fef3278701e012fb323afaebcd9d1d0ef5236b9d84dbd006423857421ea
-
SHA512
ece3236e504d5cfc4788d3f1d5f097eb914699a1c3ac00c32bff1bfa1c4af0fce0b35f13f6d8f6ce7479e01155da7feff328697b2003502cd3d02140bc62bcc4
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlO:86SIROiFJiwp0xlrlO
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2492 explorer.exe 112 explorer.exe 2648 explorer.exe 2900 spoolsv.exe 1244 spoolsv.exe 2956 spoolsv.exe 2232 spoolsv.exe 1648 spoolsv.exe 928 spoolsv.exe 2332 spoolsv.exe 320 spoolsv.exe 608 spoolsv.exe 1152 spoolsv.exe 1560 spoolsv.exe 2504 spoolsv.exe 2380 spoolsv.exe 2372 spoolsv.exe 2636 spoolsv.exe 1936 spoolsv.exe 1176 spoolsv.exe 2360 spoolsv.exe 392 spoolsv.exe 1720 spoolsv.exe 1408 spoolsv.exe 2468 spoolsv.exe 3000 spoolsv.exe 672 spoolsv.exe 1436 spoolsv.exe 3056 spoolsv.exe 1520 spoolsv.exe 2068 spoolsv.exe 1892 spoolsv.exe 1740 spoolsv.exe 1972 spoolsv.exe 2152 spoolsv.exe 2424 spoolsv.exe 2696 spoolsv.exe 392 spoolsv.exe 324 spoolsv.exe 2032 spoolsv.exe 844 spoolsv.exe 1580 spoolsv.exe 448 spoolsv.exe 2112 spoolsv.exe 1380 spoolsv.exe 2584 spoolsv.exe 2572 spoolsv.exe 1972 spoolsv.exe 2920 spoolsv.exe 1688 spoolsv.exe 2760 spoolsv.exe 2660 spoolsv.exe 1344 spoolsv.exe 1888 spoolsv.exe 568 spoolsv.exe 1016 spoolsv.exe 1880 spoolsv.exe 3024 spoolsv.exe 1624 spoolsv.exe 2456 spoolsv.exe 2288 spoolsv.exe 1652 spoolsv.exe 2676 spoolsv.exe 760 spoolsv.exe -
Loads dropped DLL 64 IoCs
Processes:
a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2508 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe 2508 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe 2648 explorer.exe 2648 explorer.exe 2900 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 2956 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 1648 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 2332 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 608 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 1560 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 2380 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 2636 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 1176 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 392 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 1408 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 3000 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 1436 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 1520 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 1892 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 1972 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 2424 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 392 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 2032 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 1580 spoolsv.exe 2648 explorer.exe 2648 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exea8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 2860 set thread context of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2992 set thread context of 2508 2992 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2492 set thread context of 112 2492 explorer.exe explorer.exe PID 112 set thread context of 2648 112 explorer.exe explorer.exe PID 2900 set thread context of 1244 2900 spoolsv.exe spoolsv.exe PID 2956 set thread context of 2232 2956 spoolsv.exe spoolsv.exe PID 1648 set thread context of 928 1648 spoolsv.exe spoolsv.exe PID 2332 set thread context of 320 2332 spoolsv.exe spoolsv.exe PID 608 set thread context of 1152 608 spoolsv.exe spoolsv.exe PID 1560 set thread context of 2504 1560 spoolsv.exe spoolsv.exe PID 2380 set thread context of 2372 2380 spoolsv.exe spoolsv.exe PID 2636 set thread context of 1936 2636 spoolsv.exe spoolsv.exe PID 1176 set thread context of 2360 1176 spoolsv.exe spoolsv.exe PID 392 set thread context of 1720 392 spoolsv.exe spoolsv.exe PID 1408 set thread context of 2468 1408 spoolsv.exe spoolsv.exe PID 3000 set thread context of 672 3000 spoolsv.exe spoolsv.exe PID 1436 set thread context of 3056 1436 spoolsv.exe spoolsv.exe PID 1520 set thread context of 2068 1520 spoolsv.exe spoolsv.exe PID 1892 set thread context of 1740 1892 spoolsv.exe spoolsv.exe PID 1972 set thread context of 2152 1972 spoolsv.exe spoolsv.exe PID 2424 set thread context of 2696 2424 spoolsv.exe spoolsv.exe PID 392 set thread context of 324 392 spoolsv.exe spoolsv.exe PID 2032 set thread context of 844 2032 spoolsv.exe spoolsv.exe PID 1580 set thread context of 448 1580 spoolsv.exe spoolsv.exe PID 2112 set thread context of 1380 2112 spoolsv.exe spoolsv.exe PID 2584 set thread context of 2572 2584 spoolsv.exe spoolsv.exe PID 1972 set thread context of 2920 1972 spoolsv.exe spoolsv.exe PID 1688 set thread context of 2760 1688 spoolsv.exe spoolsv.exe PID 2660 set thread context of 1344 2660 spoolsv.exe spoolsv.exe PID 1888 set thread context of 568 1888 spoolsv.exe spoolsv.exe PID 1016 set thread context of 1880 1016 spoolsv.exe spoolsv.exe PID 3024 set thread context of 1624 3024 spoolsv.exe spoolsv.exe PID 2456 set thread context of 2288 2456 spoolsv.exe spoolsv.exe PID 1652 set thread context of 2676 1652 spoolsv.exe spoolsv.exe PID 760 set thread context of 2616 760 spoolsv.exe spoolsv.exe PID 2940 set thread context of 836 2940 spoolsv.exe spoolsv.exe PID 2304 set thread context of 1528 2304 spoolsv.exe spoolsv.exe PID 564 set thread context of 2988 564 spoolsv.exe spoolsv.exe PID 1672 set thread context of 1480 1672 spoolsv.exe spoolsv.exe PID 1604 set thread context of 1652 1604 spoolsv.exe spoolsv.exe PID 2548 set thread context of 2412 2548 spoolsv.exe spoolsv.exe PID 632 set thread context of 984 632 spoolsv.exe spoolsv.exe PID 1220 set thread context of 1640 1220 spoolsv.exe spoolsv.exe PID 1484 set thread context of 3024 1484 spoolsv.exe spoolsv.exe PID 2184 set thread context of 1920 2184 spoolsv.exe spoolsv.exe PID 760 set thread context of 1112 760 spoolsv.exe spoolsv.exe PID 2596 set thread context of 632 2596 spoolsv.exe spoolsv.exe PID 752 set thread context of 1632 752 spoolsv.exe spoolsv.exe PID 2976 set thread context of 2712 2976 spoolsv.exe spoolsv.exe PID 2636 set thread context of 2784 2636 spoolsv.exe spoolsv.exe PID 1692 set thread context of 2120 1692 spoolsv.exe spoolsv.exe PID 2996 set thread context of 1884 2996 spoolsv.exe spoolsv.exe PID 2496 set thread context of 2640 2496 spoolsv.exe spoolsv.exe PID 392 set thread context of 2928 392 spoolsv.exe spoolsv.exe PID 2076 set thread context of 1860 2076 spoolsv.exe spoolsv.exe PID 2112 set thread context of 952 2112 spoolsv.exe spoolsv.exe PID 2388 set thread context of 776 2388 spoolsv.exe spoolsv.exe PID 1620 set thread context of 1888 1620 spoolsv.exe spoolsv.exe PID 2320 set thread context of 2872 2320 spoolsv.exe spoolsv.exe PID 1604 set thread context of 2652 1604 spoolsv.exe spoolsv.exe PID 1404 set thread context of 832 1404 spoolsv.exe spoolsv.exe PID 1428 set thread context of 2444 1428 spoolsv.exe spoolsv.exe PID 1800 set thread context of 2940 1800 spoolsv.exe spoolsv.exe PID 1716 set thread context of 1572 1716 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exea8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exeexplorer.exepid process 2508 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe 2648 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2648 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exea8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe 2508 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe 2508 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe 2492 explorer.exe 2648 explorer.exe 2648 explorer.exe 2900 spoolsv.exe 2648 explorer.exe 2648 explorer.exe 2956 spoolsv.exe 1648 spoolsv.exe 2332 spoolsv.exe 608 spoolsv.exe 1560 spoolsv.exe 2380 spoolsv.exe 2636 spoolsv.exe 1176 spoolsv.exe 392 spoolsv.exe 1408 spoolsv.exe 3000 spoolsv.exe 1436 spoolsv.exe 1520 spoolsv.exe 1892 spoolsv.exe 1972 spoolsv.exe 2424 spoolsv.exe 392 spoolsv.exe 2032 spoolsv.exe 1580 spoolsv.exe 2112 spoolsv.exe 2584 spoolsv.exe 1972 spoolsv.exe 1688 spoolsv.exe 2660 spoolsv.exe 1888 spoolsv.exe 1016 spoolsv.exe 3024 spoolsv.exe 2456 spoolsv.exe 1652 spoolsv.exe 760 spoolsv.exe 2940 spoolsv.exe 2304 spoolsv.exe 564 spoolsv.exe 1672 spoolsv.exe 1604 spoolsv.exe 2548 spoolsv.exe 632 spoolsv.exe 1220 spoolsv.exe 1484 spoolsv.exe 2184 spoolsv.exe 760 spoolsv.exe 2596 spoolsv.exe 752 spoolsv.exe 2976 spoolsv.exe 2636 spoolsv.exe 1692 spoolsv.exe 2996 spoolsv.exe 2496 spoolsv.exe 392 spoolsv.exe 2076 spoolsv.exe 2112 spoolsv.exe 2388 spoolsv.exe 1620 spoolsv.exe 2320 spoolsv.exe 1604 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exea8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exea8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exedescription pid process target process PID 2860 wrote to memory of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2860 wrote to memory of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2860 wrote to memory of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2860 wrote to memory of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2860 wrote to memory of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2860 wrote to memory of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2860 wrote to memory of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2860 wrote to memory of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2860 wrote to memory of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2860 wrote to memory of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2860 wrote to memory of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2860 wrote to memory of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2860 wrote to memory of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2860 wrote to memory of 2992 2860 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2992 wrote to memory of 2564 2992 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe splwow64.exe PID 2992 wrote to memory of 2564 2992 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe splwow64.exe PID 2992 wrote to memory of 2564 2992 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe splwow64.exe PID 2992 wrote to memory of 2564 2992 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe splwow64.exe PID 2992 wrote to memory of 2508 2992 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2992 wrote to memory of 2508 2992 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2992 wrote to memory of 2508 2992 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2992 wrote to memory of 2508 2992 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2992 wrote to memory of 2508 2992 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2992 wrote to memory of 2508 2992 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe PID 2508 wrote to memory of 2492 2508 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe explorer.exe PID 2508 wrote to memory of 2492 2508 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe explorer.exe PID 2508 wrote to memory of 2492 2508 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe explorer.exe PID 2508 wrote to memory of 2492 2508 a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe explorer.exe PID 2492 wrote to memory of 112 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 112 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 112 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 112 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 112 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 112 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 112 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 112 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 112 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 112 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 112 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 112 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 112 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 112 2492 explorer.exe explorer.exe PID 112 wrote to memory of 2648 112 explorer.exe explorer.exe PID 112 wrote to memory of 2648 112 explorer.exe explorer.exe PID 112 wrote to memory of 2648 112 explorer.exe explorer.exe PID 112 wrote to memory of 2648 112 explorer.exe explorer.exe PID 112 wrote to memory of 2648 112 explorer.exe explorer.exe PID 112 wrote to memory of 2648 112 explorer.exe explorer.exe PID 2648 wrote to memory of 2900 2648 explorer.exe spoolsv.exe PID 2648 wrote to memory of 2900 2648 explorer.exe spoolsv.exe PID 2648 wrote to memory of 2900 2648 explorer.exe spoolsv.exe PID 2648 wrote to memory of 2900 2648 explorer.exe spoolsv.exe PID 2900 wrote to memory of 1244 2900 spoolsv.exe spoolsv.exe PID 2900 wrote to memory of 1244 2900 spoolsv.exe spoolsv.exe PID 2900 wrote to memory of 1244 2900 spoolsv.exe spoolsv.exe PID 2900 wrote to memory of 1244 2900 spoolsv.exe spoolsv.exe PID 2900 wrote to memory of 1244 2900 spoolsv.exe spoolsv.exe PID 2900 wrote to memory of 1244 2900 spoolsv.exe spoolsv.exe PID 2900 wrote to memory of 1244 2900 spoolsv.exe spoolsv.exe PID 2900 wrote to memory of 1244 2900 spoolsv.exe spoolsv.exe PID 2900 wrote to memory of 1244 2900 spoolsv.exe spoolsv.exe PID 2900 wrote to memory of 1244 2900 spoolsv.exe spoolsv.exe PID 2900 wrote to memory of 1244 2900 spoolsv.exe spoolsv.exe PID 2900 wrote to memory of 1244 2900 spoolsv.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Users\Admin\AppData\Local\Temp\a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8d3f01ac454a7a5f0eef16d22169eac_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Parameters.iniFilesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUDFilesize
56KB
MD5bd72dcf1083b6e22ccbfa0e8e27fb1e0
SHA13fd23d4f14da768da7b8364d74c54932d704e74e
SHA25690f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1
SHA51272360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562
-
C:\Windows\system\spoolsv.exeFilesize
2.6MB
MD50d8ad81ed018ea3b208d1b5321db2631
SHA1410302dd72827720419821e25a01fd1524ff4ffa
SHA25628bcfbc7df589cd15d0c3a85c16b5655671850456742e321c61b514f79002d0d
SHA51207454a41911c47a704435780bd77fab713ebf6dfcd51266184587eaa0d76ed5ec55c20da5b43ed188984a4840e32e4e73a64d1fb075157c9b8fec172b871339d
-
\Windows\system\explorer.exeFilesize
2.6MB
MD59d63485205a4d3bf1351794464bb74e6
SHA17b46510dfe84790c738b9e53d0e4645a5877f1a2
SHA256e029cfedb12a4ce01c1f5c429be5af78f13e8c29da71e53db4ac7702b9e794e6
SHA5122624930b8094a6e69f7ef8c8a12849474a57de7f8dfe7c50d54e16ccecddd05c143e352c2e84dc676bec26b0a8e9f98ccb3aa7da9c8f9bb49896db021cd30fcb
-
memory/112-61-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/112-88-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/112-78-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/112-60-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/1244-107-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2492-58-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2508-57-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2508-30-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2508-33-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2508-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2508-26-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2508-39-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2860-2-0x0000000000407000-0x0000000000408000-memory.dmpFilesize
4KB
-
memory/2992-4-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2992-38-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2992-7-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2992-24-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2992-5-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2992-6-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/2992-3-0x0000000000400000-0x00000000005D3000-memory.dmpFilesize
1.8MB
-
memory/4700-5585-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4920-5620-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4968-5600-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB