pony | dea95cb0a6191fddfb2c58b1271ea6354c33c6547c2d7f53f994982a8b30bf7b

Analysis

max time kernel
83s
max time network
126s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-05-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
Size

2.6MB
MD5

7912866b72307178fff8fee003bb5d3b
SHA1

dadd7948d8fc385461490181117b8034bbb70521
SHA256

dea95cb0a6191fddfb2c58b1271ea6354c33c6547c2d7f53f994982a8b30bf7b
SHA512

d1cddc43ba5d155d5b006a1c9e4e2f2395328447d6ff17d3b1351ff3226f7b46720e2192c385e0135e253d5a54bda6cb7c4b852b5f77f43a9a08cbbd0156c69c
SSDEEP

49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlL:86SIROiFJiwp0xlrlL

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2516	explorer.exe
2532	explorer.exe
1268	explorer.exe
2640	spoolsv.exe
856	spoolsv.exe
2128	spoolsv.exe
2264	spoolsv.exe
2132	spoolsv.exe
488	spoolsv.exe
1304	spoolsv.exe
3028	spoolsv.exe
2068	spoolsv.exe
1816	spoolsv.exe
2328	spoolsv.exe
3048	spoolsv.exe
1740	spoolsv.exe
2456	spoolsv.exe
2464	spoolsv.exe
1588	spoolsv.exe
1084	spoolsv.exe
2112	spoolsv.exe
2748	spoolsv.exe
2296	spoolsv.exe
1652	spoolsv.exe
1440	spoolsv.exe
1136	spoolsv.exe
1788	spoolsv.exe
912	spoolsv.exe
1072	spoolsv.exe
1856	spoolsv.exe
1608	spoolsv.exe
2588	spoolsv.exe
2328	spoolsv.exe
2728	spoolsv.exe
1732	spoolsv.exe
2536	spoolsv.exe
1480	spoolsv.exe
1084	spoolsv.exe
2788	spoolsv.exe
576	spoolsv.exe
2224	spoolsv.exe
1556	spoolsv.exe
2948	spoolsv.exe
1204	spoolsv.exe
2092	spoolsv.exe
2032	spoolsv.exe
2608	spoolsv.exe
948	spoolsv.exe
2712	spoolsv.exe
2632	spoolsv.exe
2220	spoolsv.exe
2476	spoolsv.exe
2520	spoolsv.exe
2336	spoolsv.exe
2132	spoolsv.exe
1648	spoolsv.exe
2360	spoolsv.exe
3040	spoolsv.exe
2844	spoolsv.exe
1296	spoolsv.exe
884	spoolsv.exe
2716	spoolsv.exe
2656	spoolsv.exe
2232	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2584	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
2584	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
1268	explorer.exe
1268	explorer.exe
2640	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
2128	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
2132	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
1304	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
2068	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
2328	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
1740	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
2464	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
1084	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
2748	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
1652	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
1136	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
912	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
1856	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
2588	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
2728	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
2536	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
1084	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
576	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
1556	spoolsv.exe
1268	explorer.exe
1268	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2364 set thread context of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2312 set thread context of 2584	2312	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2516 set thread context of 2532	2516	explorer.exe	explorer.exe
PID 2532 set thread context of 1268	2532	explorer.exe	explorer.exe
PID 2640 set thread context of 856	2640	spoolsv.exe	spoolsv.exe
PID 2128 set thread context of 2264	2128	spoolsv.exe	spoolsv.exe
PID 2132 set thread context of 488	2132	spoolsv.exe	spoolsv.exe
PID 1304 set thread context of 3028	1304	spoolsv.exe	spoolsv.exe
PID 2068 set thread context of 1816	2068	spoolsv.exe	spoolsv.exe
PID 2328 set thread context of 3048	2328	spoolsv.exe	spoolsv.exe
PID 1740 set thread context of 2456	1740	spoolsv.exe	spoolsv.exe
PID 2464 set thread context of 1588	2464	spoolsv.exe	spoolsv.exe
PID 1084 set thread context of 2112	1084	spoolsv.exe	spoolsv.exe
PID 2748 set thread context of 2296	2748	spoolsv.exe	spoolsv.exe
PID 1652 set thread context of 1440	1652	spoolsv.exe	spoolsv.exe
PID 1136 set thread context of 1788	1136	spoolsv.exe	spoolsv.exe
PID 912 set thread context of 1072	912	spoolsv.exe	spoolsv.exe
PID 1856 set thread context of 1608	1856	spoolsv.exe	spoolsv.exe
PID 2588 set thread context of 2328	2588	spoolsv.exe	spoolsv.exe
PID 2728 set thread context of 1732	2728	spoolsv.exe	spoolsv.exe
PID 2536 set thread context of 1480	2536	spoolsv.exe	spoolsv.exe
PID 1084 set thread context of 2788	1084	spoolsv.exe	spoolsv.exe
PID 576 set thread context of 2224	576	spoolsv.exe	spoolsv.exe
PID 1556 set thread context of 2948	1556	spoolsv.exe	spoolsv.exe
PID 1204 set thread context of 2092	1204	spoolsv.exe	spoolsv.exe
PID 2032 set thread context of 2608	2032	spoolsv.exe	spoolsv.exe
PID 948 set thread context of 2712	948	spoolsv.exe	spoolsv.exe
PID 2632 set thread context of 2220	2632	spoolsv.exe	spoolsv.exe
PID 2476 set thread context of 2520	2476	spoolsv.exe	spoolsv.exe
PID 2336 set thread context of 2132	2336	spoolsv.exe	spoolsv.exe
PID 1648 set thread context of 2360	1648	spoolsv.exe	spoolsv.exe
PID 3040 set thread context of 2844	3040	spoolsv.exe	spoolsv.exe
PID 1296 set thread context of 884	1296	spoolsv.exe	spoolsv.exe
PID 2716 set thread context of 2656	2716	spoolsv.exe	spoolsv.exe
PID 2232 set thread context of 1984	2232	spoolsv.exe	spoolsv.exe
PID 1584 set thread context of 2748	1584	spoolsv.exe	spoolsv.exe
PID 2336 set thread context of 2280	2336	spoolsv.exe	spoolsv.exe
PID 2692 set thread context of 1248	2692	spoolsv.exe	spoolsv.exe
PID 2548 set thread context of 1196	2548	spoolsv.exe	spoolsv.exe
PID 2768 set thread context of 2776	2768	spoolsv.exe	spoolsv.exe
PID 2580 set thread context of 1620	2580	spoolsv.exe	spoolsv.exe
PID 2876 set thread context of 1504	2876	spoolsv.exe	spoolsv.exe
PID 1556 set thread context of 788	1556	spoolsv.exe	spoolsv.exe
PID 2100 set thread context of 2564	2100	spoolsv.exe	spoolsv.exe
PID 2000 set thread context of 1664	2000	spoolsv.exe	spoolsv.exe
PID 636 set thread context of 2128	636	spoolsv.exe	spoolsv.exe
PID 300 set thread context of 1516	300	spoolsv.exe	spoolsv.exe
PID 2936 set thread context of 1748	2936	spoolsv.exe	spoolsv.exe
PID 1740 set thread context of 2504	1740	spoolsv.exe	spoolsv.exe
PID 2536 set thread context of 1104	2536	spoolsv.exe	spoolsv.exe
PID 2832 set thread context of 1152	2832	spoolsv.exe	spoolsv.exe
PID 2212 set thread context of 2976	2212	spoolsv.exe	spoolsv.exe
PID 2676 set thread context of 2428	2676	spoolsv.exe	spoolsv.exe
PID 1580 set thread context of 2876	1580	spoolsv.exe	spoolsv.exe
PID 2744 set thread context of 1652	2744	spoolsv.exe	spoolsv.exe
PID 2688 set thread context of 2716	2688	spoolsv.exe	spoolsv.exe
PID 2640 set thread context of 1904	2640	spoolsv.exe	spoolsv.exe
PID 2364 set thread context of 1644	2364	spoolsv.exe	spoolsv.exe
PID 1700 set thread context of 1968	1700	spoolsv.exe	spoolsv.exe
PID 472 set thread context of 1020	472	spoolsv.exe	spoolsv.exe
PID 2872 set thread context of 948	2872	spoolsv.exe	spoolsv.exe
PID 2272 set thread context of 636	2272	spoolsv.exe	spoolsv.exe
PID 3040 set thread context of 2940	3040	spoolsv.exe	spoolsv.exe
PID 2384 set thread context of 2104	2384	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exeexplorer.exe

pid	process
2584	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe
1268	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1268 explorer.exe

pid	process
1268	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
2584	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
2584	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
2516	explorer.exe
1268	explorer.exe
1268	explorer.exe
2640	spoolsv.exe
1268	explorer.exe
1268	explorer.exe
2128	spoolsv.exe
2132	spoolsv.exe
1304	spoolsv.exe
2068	spoolsv.exe
2328	spoolsv.exe
1740	spoolsv.exe
2464	spoolsv.exe
1084	spoolsv.exe
2748	spoolsv.exe
1652	spoolsv.exe
1136	spoolsv.exe
912	spoolsv.exe
1856	spoolsv.exe
2588	spoolsv.exe
2728	spoolsv.exe
2536	spoolsv.exe
1084	spoolsv.exe
576	spoolsv.exe
1556	spoolsv.exe
1204	spoolsv.exe
2032	spoolsv.exe
948	spoolsv.exe
2632	spoolsv.exe
2476	spoolsv.exe
2336	spoolsv.exe
1648	spoolsv.exe
3040	spoolsv.exe
1296	spoolsv.exe
2716	spoolsv.exe
2232	spoolsv.exe
1584	spoolsv.exe
2336	spoolsv.exe
2692	spoolsv.exe
2548	spoolsv.exe
2768	spoolsv.exe
2580	spoolsv.exe
2876	spoolsv.exe
1556	spoolsv.exe
2100	spoolsv.exe
2000	spoolsv.exe
636	spoolsv.exe
300	spoolsv.exe
2936	spoolsv.exe
1740	spoolsv.exe
2536	spoolsv.exe
2832	spoolsv.exe
2212	spoolsv.exe
2676	spoolsv.exe
1580	spoolsv.exe
2744	spoolsv.exe
2688	spoolsv.exe
2640	spoolsv.exe
2364	spoolsv.exe
1700	spoolsv.exe
472	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 2364 wrote to memory of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2364 wrote to memory of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2364 wrote to memory of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2364 wrote to memory of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2364 wrote to memory of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2364 wrote to memory of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2364 wrote to memory of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2364 wrote to memory of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2364 wrote to memory of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2364 wrote to memory of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2364 wrote to memory of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2364 wrote to memory of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2364 wrote to memory of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2364 wrote to memory of 2312	2364	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2312 wrote to memory of 2044	2312	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	splwow64.exe
PID 2312 wrote to memory of 2044	2312	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	splwow64.exe
PID 2312 wrote to memory of 2044	2312	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	splwow64.exe
PID 2312 wrote to memory of 2044	2312	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	splwow64.exe
PID 2312 wrote to memory of 2584	2312	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2312 wrote to memory of 2584	2312	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2312 wrote to memory of 2584	2312	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2312 wrote to memory of 2584	2312	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2312 wrote to memory of 2584	2312	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2312 wrote to memory of 2584	2312	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
PID 2584 wrote to memory of 2516	2584	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	explorer.exe
PID 2584 wrote to memory of 2516	2584	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	explorer.exe
PID 2584 wrote to memory of 2516	2584	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	explorer.exe
PID 2584 wrote to memory of 2516	2584	7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe	explorer.exe
PID 2516 wrote to memory of 2532	2516	explorer.exe	explorer.exe
PID 2516 wrote to memory of 2532	2516	explorer.exe	explorer.exe
PID 2516 wrote to memory of 2532	2516	explorer.exe	explorer.exe
PID 2516 wrote to memory of 2532	2516	explorer.exe	explorer.exe
PID 2516 wrote to memory of 2532	2516	explorer.exe	explorer.exe
PID 2516 wrote to memory of 2532	2516	explorer.exe	explorer.exe
PID 2516 wrote to memory of 2532	2516	explorer.exe	explorer.exe
PID 2516 wrote to memory of 2532	2516	explorer.exe	explorer.exe
PID 2516 wrote to memory of 2532	2516	explorer.exe	explorer.exe
PID 2516 wrote to memory of 2532	2516	explorer.exe	explorer.exe
PID 2516 wrote to memory of 2532	2516	explorer.exe	explorer.exe
PID 2516 wrote to memory of 2532	2516	explorer.exe	explorer.exe
PID 2516 wrote to memory of 2532	2516	explorer.exe	explorer.exe
PID 2516 wrote to memory of 2532	2516	explorer.exe	explorer.exe
PID 2532 wrote to memory of 1268	2532	explorer.exe	explorer.exe
PID 2532 wrote to memory of 1268	2532	explorer.exe	explorer.exe
PID 2532 wrote to memory of 1268	2532	explorer.exe	explorer.exe
PID 2532 wrote to memory of 1268	2532	explorer.exe	explorer.exe
PID 2532 wrote to memory of 1268	2532	explorer.exe	explorer.exe
PID 2532 wrote to memory of 1268	2532	explorer.exe	explorer.exe
PID 1268 wrote to memory of 2640	1268	explorer.exe	spoolsv.exe
PID 1268 wrote to memory of 2640	1268	explorer.exe	spoolsv.exe
PID 1268 wrote to memory of 2640	1268	explorer.exe	spoolsv.exe
PID 1268 wrote to memory of 2640	1268	explorer.exe	spoolsv.exe
PID 2640 wrote to memory of 856	2640	spoolsv.exe	spoolsv.exe
PID 2640 wrote to memory of 856	2640	spoolsv.exe	spoolsv.exe
PID 2640 wrote to memory of 856	2640	spoolsv.exe	spoolsv.exe
PID 2640 wrote to memory of 856	2640	spoolsv.exe	spoolsv.exe
PID 2640 wrote to memory of 856	2640	spoolsv.exe	spoolsv.exe
PID 2640 wrote to memory of 856	2640	spoolsv.exe	spoolsv.exe
PID 2640 wrote to memory of 856	2640	spoolsv.exe	spoolsv.exe
PID 2640 wrote to memory of 856	2640	spoolsv.exe	spoolsv.exe
PID 2640 wrote to memory of 856	2640	spoolsv.exe	spoolsv.exe
PID 2640 wrote to memory of 856	2640	spoolsv.exe	spoolsv.exe
PID 2640 wrote to memory of 856	2640	spoolsv.exe	spoolsv.exe
PID 2640 wrote to memory of 856	2640	spoolsv.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2044
- - C:\Users\Admin\AppData\Local\Temp\7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7912866b72307178fff8fee003bb5d3b_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2516
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:856
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:5308
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        
        PID:5896
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2128
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2264
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:5456
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2132
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:488
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6920
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1304
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:3028
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:5872
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1816
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:5500
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:3048
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6184
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2456
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2464
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1588
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:7992
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2112
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2296
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1440
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6576
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1136
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1788
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:5540
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:912
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1072
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8700
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1856
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1608
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2328
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1732
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1480
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2788
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8356
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:576
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2224
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2948
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8720
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1204
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2092
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2608
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:948
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2712
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2220
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2520
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2132
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1648
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2360
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3040
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2844
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6132
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1296
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:884
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2716
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2656
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8880
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1984
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2748
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:5260
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:2280
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2692
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1248
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6456
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1196
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2776
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8824
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2580
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1620
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2876
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1504
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8988
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:788
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2564
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1664
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:636
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2128
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:300
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2936
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1748
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8924
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2504
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8424
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:1104
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1152
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2212
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2976
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:2428
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2876
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:1652
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8732
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:2716
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1904
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1644
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1968
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:472
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1020
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2872
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:948
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8916
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2272
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:636
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6332
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3040
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2940
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2384
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2104
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2908
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2028
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1636
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1772
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2744
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:2972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:1140
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2136
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2192
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:600
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2908
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:1060
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:1140
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2632
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2240
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:472
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8604
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:2252
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2908
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1084
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:384
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2348
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1916
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:2784
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1084
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2240
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3120
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3204
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3260
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3328
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3404
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3492
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3572
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3700
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:3736
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3824
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3840
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3908
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3984
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4092
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3104
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8872
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3216
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3208
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6720
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3364
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3432
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3612
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3648
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3700
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3832
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3912
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4056
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3084
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3180
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3216
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3396
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3540
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3608
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3708
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3792
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3968
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4020
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6868
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3156
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3196
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3368
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:3480
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3612
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3720
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3836
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3956
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4068
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3100
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3156
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:3344
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3364
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3496
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3700
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3916
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4004
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3152
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3248
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3460
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8140
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2192
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3936
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4084
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3192
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3272
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3248
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3672
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:7072
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3772
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3992
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3096
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3252
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8840
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3584
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3504
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:3868
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4032
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8756
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:3256
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3416
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8668
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3732
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:3812
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8996
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3092
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3232
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3892
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3520
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:848
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:3636
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8308
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3744
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4088
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8812
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3092
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3096
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1448
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4036
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4016
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2228
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3268
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:3476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:3964
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:3968
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3820
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3744
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2228
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4092
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3176
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:848
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3536
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2840
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3332
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:3968
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:9028
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3244
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4176
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4224
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4320
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4448
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4464
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4592
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4628
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4716
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4792
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4896
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4976
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5064
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3240
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4204
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4296
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4376
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4412
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4440
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4560
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4712
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4744
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4820
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4908
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5028
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5072
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:3476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4212
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4408
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4420
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8784
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4636
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4740
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4720
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4964
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4900
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4148
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4152
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4344
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4352
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4536
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4588
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4804
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4868
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4940
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4104
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5068
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4328
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4512
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4440
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4700
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4824
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5012
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4952
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4124
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5068
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8892
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4608
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4532
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8904
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4752
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4888
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5028
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4304
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4552
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4756
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5024
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4172
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5084
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4500
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4392
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4960
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5052
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4236
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4548
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4832
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:5056
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4484
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4456
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8772
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4948
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4144
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4172
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4680
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4916
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5044
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4672
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4616
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5020
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4484
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4832
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4500
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4160
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4488
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4344
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4288
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4448
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4460
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:9036
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4752
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4832
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4236
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5140
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5228
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5284
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5348
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5448
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:5512
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5612
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8932
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5700
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5756
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5864
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5900
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5988
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:6064
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4252
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4240
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5264
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5280
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8688
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5380
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5444
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5536
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5692
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:5700
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5808
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5956
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5980
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:6116
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4916
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5220
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5420
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5504
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5680
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5736
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5940
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:6008
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:6076
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4752
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5276
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5432
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5624
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5656
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:8800
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5732
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5928
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:6100
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5252
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5312
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:7872
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5492
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5532
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5800
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5864
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4860
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:6000
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5236
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5228
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5604
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5712
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5884
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5948
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5192
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5220
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5748
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5728
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:6096
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5208
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5408
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5644
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5804
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:6096
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:9016
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5880
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:8980
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:8848
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:8864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System32\spool\drivers\x64\3\mxdwdui.BUD

Filesize
56KB

MD5
bd72dcf1083b6e22ccbfa0e8e27fb1e0

SHA1
3fd23d4f14da768da7b8364d74c54932d704e74e

SHA256
90f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1

SHA512
72360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562

Download Submit
\Windows\system\explorer.exe

Filesize
2.6MB

MD5
e4610dd44c14af0d515eea648c4e377b

SHA1
f2f679cf501d35e827017c6deedad8df4ae17ad6

SHA256
5853557ce8b167838eefd11a28685b0b32befc6988732755df00c45356c98400

SHA512
ac68d922915fba694103084437b0923ee14f76c187a392715c1929af4040a253930aa5247c328bed9aeee5b06fcc063df1f31bf87ba1c82eeb9fe15f09b5bd4e

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.6MB

MD5
69ad8fcf7f9ef7bb4322aba110a15959

SHA1
e2e46f855b144e7c4dfe41c5004cf6740a98b3dd

SHA256
ab2b0c8acd9dcbd2a2934d5c2ac50017cedcdede767593191f015fd8929893f0

SHA512
352d14ccde73ef5b3c65a77ba75f3ec1f65c3f9c886c62abebdc0f5905b083d6a384b952c6f20fc488b610d32305f204117daeb7dc114789e31ff89f741020b0

Download Submit
memory/856-106-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2312-35-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2312-23-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2312-3-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2312-4-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2312-5-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2312-6-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2364-2-0x0000000000407000-0x0000000000408000-memory.dmp

Filesize
4KB

Download
memory/2516-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2516-51-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2532-57-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2532-55-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2532-77-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2532-86-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2584-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download