Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 12:43
Behavioral task
behavioral1
Sample
a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
a0b5a25cbf6705f67a5dfa9d57d9beff
-
SHA1
fd4901b11a994da938f346529f9bd216d8fd25a5
-
SHA256
3cfcda107370625788612d10c088bf77be758717abb457d9689f0c8c71c9f0ec
-
SHA512
4aa4e70f40de8945f0d85ac888e71db202bf77cbe67c9b3251c2519765095e95db34340854991a0f44ba531706a49c19a754911935f76810983dafcdb977fa08
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlB:86SIROiFJiwp0xlrlB
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2488 explorer.exe 2544 explorer.exe 1992 explorer.exe 2748 spoolsv.exe 3004 spoolsv.exe 1372 spoolsv.exe 1916 spoolsv.exe 2472 spoolsv.exe 2240 spoolsv.exe 2132 spoolsv.exe 1316 spoolsv.exe 1256 spoolsv.exe 884 spoolsv.exe 1580 spoolsv.exe 2632 spoolsv.exe 3040 spoolsv.exe 2492 spoolsv.exe 3056 spoolsv.exe 2972 spoolsv.exe 2960 spoolsv.exe 1040 spoolsv.exe 1520 spoolsv.exe 2432 spoolsv.exe 2880 spoolsv.exe 976 spoolsv.exe 1736 spoolsv.exe 840 spoolsv.exe 2900 spoolsv.exe 2036 spoolsv.exe 1596 spoolsv.exe 2108 spoolsv.exe 1936 spoolsv.exe 1232 spoolsv.exe 1636 spoolsv.exe 3040 spoolsv.exe 352 spoolsv.exe 2744 spoolsv.exe 1708 spoolsv.exe 2372 spoolsv.exe 2408 spoolsv.exe 624 spoolsv.exe 1472 spoolsv.exe 2672 spoolsv.exe 1140 spoolsv.exe 1724 spoolsv.exe 2476 spoolsv.exe 2816 spoolsv.exe 1580 spoolsv.exe 1744 spoolsv.exe 2920 spoolsv.exe 2700 spoolsv.exe 2960 spoolsv.exe 760 spoolsv.exe 856 spoolsv.exe 3068 spoolsv.exe 1348 spoolsv.exe 292 spoolsv.exe 1780 spoolsv.exe 1792 spoolsv.exe 2668 spoolsv.exe 340 spoolsv.exe 2180 spoolsv.exe 2504 spoolsv.exe 2856 spoolsv.exe -
Loads dropped DLL 64 IoCs
Processes:
a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2520 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe 2520 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe 1992 explorer.exe 1992 explorer.exe 2748 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 1372 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 2472 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 2132 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 1256 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 1580 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 3040 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 3056 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 2960 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 1520 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 2880 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 1736 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 2900 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 1596 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 1936 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 1636 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 352 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 1708 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 2408 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 1472 spoolsv.exe 1992 explorer.exe 1992 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exea0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 3044 set thread context of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 1812 set thread context of 2520 1812 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 2488 set thread context of 2544 2488 explorer.exe explorer.exe PID 2544 set thread context of 1992 2544 explorer.exe explorer.exe PID 2748 set thread context of 3004 2748 spoolsv.exe spoolsv.exe PID 1372 set thread context of 1916 1372 spoolsv.exe spoolsv.exe PID 2472 set thread context of 2240 2472 spoolsv.exe spoolsv.exe PID 2132 set thread context of 1316 2132 spoolsv.exe spoolsv.exe PID 1256 set thread context of 884 1256 spoolsv.exe spoolsv.exe PID 1580 set thread context of 2632 1580 spoolsv.exe spoolsv.exe PID 3040 set thread context of 2492 3040 spoolsv.exe spoolsv.exe PID 3056 set thread context of 2972 3056 spoolsv.exe spoolsv.exe PID 2960 set thread context of 1040 2960 spoolsv.exe spoolsv.exe PID 1520 set thread context of 2432 1520 spoolsv.exe spoolsv.exe PID 2880 set thread context of 976 2880 spoolsv.exe spoolsv.exe PID 1736 set thread context of 840 1736 spoolsv.exe spoolsv.exe PID 2900 set thread context of 2036 2900 spoolsv.exe spoolsv.exe PID 1596 set thread context of 2108 1596 spoolsv.exe spoolsv.exe PID 1936 set thread context of 1232 1936 spoolsv.exe spoolsv.exe PID 1636 set thread context of 3040 1636 spoolsv.exe spoolsv.exe PID 352 set thread context of 2744 352 spoolsv.exe spoolsv.exe PID 1708 set thread context of 2372 1708 spoolsv.exe spoolsv.exe PID 2408 set thread context of 624 2408 spoolsv.exe spoolsv.exe PID 1472 set thread context of 2672 1472 spoolsv.exe spoolsv.exe PID 1140 set thread context of 1724 1140 spoolsv.exe spoolsv.exe PID 2476 set thread context of 2816 2476 spoolsv.exe spoolsv.exe PID 1580 set thread context of 1744 1580 spoolsv.exe spoolsv.exe PID 2920 set thread context of 2700 2920 spoolsv.exe spoolsv.exe PID 2960 set thread context of 760 2960 spoolsv.exe spoolsv.exe PID 856 set thread context of 3068 856 spoolsv.exe spoolsv.exe PID 1348 set thread context of 292 1348 spoolsv.exe spoolsv.exe PID 1780 set thread context of 1792 1780 spoolsv.exe spoolsv.exe PID 2668 set thread context of 340 2668 spoolsv.exe spoolsv.exe PID 2180 set thread context of 2504 2180 spoolsv.exe spoolsv.exe PID 2856 set thread context of 756 2856 spoolsv.exe spoolsv.exe PID 1300 set thread context of 2040 1300 spoolsv.exe spoolsv.exe PID 1800 set thread context of 2008 1800 spoolsv.exe spoolsv.exe PID 984 set thread context of 1628 984 spoolsv.exe spoolsv.exe PID 1756 set thread context of 2392 1756 spoolsv.exe spoolsv.exe PID 2820 set thread context of 2580 2820 spoolsv.exe spoolsv.exe PID 2224 set thread context of 828 2224 spoolsv.exe spoolsv.exe PID 696 set thread context of 1320 696 spoolsv.exe spoolsv.exe PID 316 set thread context of 1624 316 spoolsv.exe spoolsv.exe PID 1368 set thread context of 2648 1368 spoolsv.exe spoolsv.exe PID 1688 set thread context of 2820 1688 spoolsv.exe spoolsv.exe PID 1620 set thread context of 1144 1620 spoolsv.exe spoolsv.exe PID 2324 set thread context of 1800 2324 spoolsv.exe spoolsv.exe PID 1968 set thread context of 2716 1968 spoolsv.exe spoolsv.exe PID 2656 set thread context of 2992 2656 spoolsv.exe spoolsv.exe PID 1572 set thread context of 1276 1572 spoolsv.exe spoolsv.exe PID 1660 set thread context of 288 1660 spoolsv.exe spoolsv.exe PID 984 set thread context of 1220 984 spoolsv.exe spoolsv.exe PID 3036 set thread context of 2756 3036 spoolsv.exe spoolsv.exe PID 1488 set thread context of 1476 1488 spoolsv.exe spoolsv.exe PID 696 set thread context of 3060 696 spoolsv.exe spoolsv.exe PID 1984 set thread context of 2980 1984 spoolsv.exe spoolsv.exe PID 1184 set thread context of 1424 1184 spoolsv.exe spoolsv.exe PID 956 set thread context of 2092 956 spoolsv.exe spoolsv.exe PID 1968 set thread context of 1636 1968 spoolsv.exe spoolsv.exe PID 1708 set thread context of 1472 1708 spoolsv.exe spoolsv.exe PID 844 set thread context of 1716 844 spoolsv.exe spoolsv.exe PID 2652 set thread context of 2812 2652 spoolsv.exe spoolsv.exe PID 1760 set thread context of 1116 1760 spoolsv.exe spoolsv.exe PID 2668 set thread context of 2568 2668 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exeexplorer.exepid process 2520 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe 1992 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1992 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exea0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe 2520 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe 2520 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe 2488 explorer.exe 1992 explorer.exe 1992 explorer.exe 2748 spoolsv.exe 1992 explorer.exe 1992 explorer.exe 1372 spoolsv.exe 2472 spoolsv.exe 2132 spoolsv.exe 1256 spoolsv.exe 1580 spoolsv.exe 3040 spoolsv.exe 3056 spoolsv.exe 2960 spoolsv.exe 1520 spoolsv.exe 2880 spoolsv.exe 1736 spoolsv.exe 2900 spoolsv.exe 1596 spoolsv.exe 1936 spoolsv.exe 1636 spoolsv.exe 352 spoolsv.exe 1708 spoolsv.exe 2408 spoolsv.exe 1472 spoolsv.exe 1140 spoolsv.exe 2476 spoolsv.exe 1580 spoolsv.exe 2920 spoolsv.exe 2960 spoolsv.exe 856 spoolsv.exe 1348 spoolsv.exe 1780 spoolsv.exe 2668 spoolsv.exe 2180 spoolsv.exe 2856 spoolsv.exe 1300 spoolsv.exe 1800 spoolsv.exe 984 spoolsv.exe 1756 spoolsv.exe 2820 spoolsv.exe 2224 spoolsv.exe 696 spoolsv.exe 316 spoolsv.exe 1368 spoolsv.exe 1688 spoolsv.exe 1620 spoolsv.exe 2324 spoolsv.exe 1968 spoolsv.exe 2656 spoolsv.exe 1572 spoolsv.exe 1660 spoolsv.exe 984 spoolsv.exe 3036 spoolsv.exe 1488 spoolsv.exe 696 spoolsv.exe 1984 spoolsv.exe 1184 spoolsv.exe 956 spoolsv.exe 1968 spoolsv.exe 1708 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exea0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exea0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exedescription pid process target process PID 3044 wrote to memory of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 3044 wrote to memory of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 3044 wrote to memory of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 3044 wrote to memory of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 3044 wrote to memory of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 3044 wrote to memory of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 3044 wrote to memory of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 3044 wrote to memory of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 3044 wrote to memory of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 3044 wrote to memory of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 3044 wrote to memory of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 3044 wrote to memory of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 3044 wrote to memory of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 3044 wrote to memory of 1812 3044 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 1812 wrote to memory of 1600 1812 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe splwow64.exe PID 1812 wrote to memory of 1600 1812 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe splwow64.exe PID 1812 wrote to memory of 1600 1812 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe splwow64.exe PID 1812 wrote to memory of 1600 1812 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe splwow64.exe PID 1812 wrote to memory of 2520 1812 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 1812 wrote to memory of 2520 1812 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 1812 wrote to memory of 2520 1812 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 1812 wrote to memory of 2520 1812 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 1812 wrote to memory of 2520 1812 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 1812 wrote to memory of 2520 1812 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe PID 2520 wrote to memory of 2488 2520 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe explorer.exe PID 2520 wrote to memory of 2488 2520 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe explorer.exe PID 2520 wrote to memory of 2488 2520 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe explorer.exe PID 2520 wrote to memory of 2488 2520 a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe explorer.exe PID 2488 wrote to memory of 2544 2488 explorer.exe explorer.exe PID 2488 wrote to memory of 2544 2488 explorer.exe explorer.exe PID 2488 wrote to memory of 2544 2488 explorer.exe explorer.exe PID 2488 wrote to memory of 2544 2488 explorer.exe explorer.exe PID 2488 wrote to memory of 2544 2488 explorer.exe explorer.exe PID 2488 wrote to memory of 2544 2488 explorer.exe explorer.exe PID 2488 wrote to memory of 2544 2488 explorer.exe explorer.exe PID 2488 wrote to memory of 2544 2488 explorer.exe explorer.exe PID 2488 wrote to memory of 2544 2488 explorer.exe explorer.exe PID 2488 wrote to memory of 2544 2488 explorer.exe explorer.exe PID 2488 wrote to memory of 2544 2488 explorer.exe explorer.exe PID 2488 wrote to memory of 2544 2488 explorer.exe explorer.exe PID 2488 wrote to memory of 2544 2488 explorer.exe explorer.exe PID 2488 wrote to memory of 2544 2488 explorer.exe explorer.exe PID 2544 wrote to memory of 1992 2544 explorer.exe explorer.exe PID 2544 wrote to memory of 1992 2544 explorer.exe explorer.exe PID 2544 wrote to memory of 1992 2544 explorer.exe explorer.exe PID 2544 wrote to memory of 1992 2544 explorer.exe explorer.exe PID 2544 wrote to memory of 1992 2544 explorer.exe explorer.exe PID 2544 wrote to memory of 1992 2544 explorer.exe explorer.exe PID 1992 wrote to memory of 2748 1992 explorer.exe spoolsv.exe PID 1992 wrote to memory of 2748 1992 explorer.exe spoolsv.exe PID 1992 wrote to memory of 2748 1992 explorer.exe spoolsv.exe PID 1992 wrote to memory of 2748 1992 explorer.exe spoolsv.exe PID 2748 wrote to memory of 3004 2748 spoolsv.exe spoolsv.exe PID 2748 wrote to memory of 3004 2748 spoolsv.exe spoolsv.exe PID 2748 wrote to memory of 3004 2748 spoolsv.exe spoolsv.exe PID 2748 wrote to memory of 3004 2748 spoolsv.exe spoolsv.exe PID 2748 wrote to memory of 3004 2748 spoolsv.exe spoolsv.exe PID 2748 wrote to memory of 3004 2748 spoolsv.exe spoolsv.exe PID 2748 wrote to memory of 3004 2748 spoolsv.exe spoolsv.exe PID 2748 wrote to memory of 3004 2748 spoolsv.exe spoolsv.exe PID 2748 wrote to memory of 3004 2748 spoolsv.exe spoolsv.exe PID 2748 wrote to memory of 3004 2748 spoolsv.exe spoolsv.exe PID 2748 wrote to memory of 3004 2748 spoolsv.exe spoolsv.exe PID 2748 wrote to memory of 3004 2748 spoolsv.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0b5a25cbf6705f67a5dfa9d57d9beff_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:3004 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5764
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1372 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5252
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2472 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2240 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5640
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2132 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1316 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1256 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:884 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1580 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2632 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3040 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2492 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3056 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2972 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2960 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1040 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1520 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2432 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6316
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2880 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:976 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5936
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1736 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:840 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2900 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1596 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2108 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1936 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1232 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1636 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:3040 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:352 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2372 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2408 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:624 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1472 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2672 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5480
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1140 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1724 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2476 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2816 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4100
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1580 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2920 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2700 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2960 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:760 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:856 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:3068 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1348 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:292 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1780 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1792 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2668 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:340 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2180 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2504 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5972
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2856 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:756
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1300 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2040
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1800 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2008
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:984 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1628
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1756 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2820 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2580 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2224 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:828
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6232
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:696 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1320
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:316 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1624
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1368 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2648
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1688 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2820
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1620 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1144 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:780
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2324 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1800
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1968 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2716
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2656 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2992
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1572 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1276
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5988
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1660 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:288
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:984 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1220
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2756 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5216
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1488 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1476
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:696 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3060
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6080
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1984 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2980
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1184 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1424
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:956 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2092 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1968 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1636 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1472
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:844 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1716 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:2652 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2812
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:1760 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1116
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:2668 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2568
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1520
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1352 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2640
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1968
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1488
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1660
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2768
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2772
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1544
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2692 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1604
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2076
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2640
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:580
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1580
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1984
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:604
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1572 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:1244 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1428
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2652
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1808
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:604
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2628 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1436
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:316
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1604
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2232
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1688
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3080
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3136
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3204
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3300
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3408
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3464 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3532
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3628 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3740
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3796
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3960
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4032
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2708
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5688
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3084 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3248 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3360
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3412
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3552
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3660
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3780
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3820 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3972
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4044
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1564
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3236
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3272 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:1520 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3604
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3700
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3764
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3928
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4004
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2232
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3116
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3080
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3376
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3364
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3616 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3788
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2200
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3908
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4076
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3132
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3288
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3084
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3452
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3364 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3736
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3952
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3928
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3108
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3252
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1728
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1520
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3704
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3788
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3868
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3192
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3272
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3548 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2984 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4012
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3180 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3332
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3432
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2336
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3948
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3092
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3132 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3332
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3752
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3880
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2232 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3352
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3668
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4064 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3188
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3520 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3352
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3744
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3284
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3340
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3952
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3972
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3672 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6712
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4032
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3444
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3688
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4068 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3540
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2528 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3508
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3908
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3808 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3084 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3580
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3856
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3092
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3080
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3524
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3596 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4084
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3524
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3576
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4168 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4232
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4328
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4488
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4556
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4652
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4720
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4816
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4928
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4984
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5052
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4108
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4252
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4288 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4388
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4472
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4600
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4664
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4740
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4844
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4968
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5032
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5056
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4192
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4320
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4412
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4484
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4612
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4556
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4824
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4944
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5008
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5104
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5052
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4364
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4440
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4540
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4700
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4724
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4912
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5020
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4132
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4240
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4400
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4648
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4692
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4792
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4996
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3808
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4264
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5348
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4420
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4448
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4772 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4876
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4980
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5100
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4336
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4392
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4484
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4800
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4724
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4160
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3808
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4464
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4544 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4740 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5084
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4140 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4372
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4608
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4948
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:5108 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4452
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3808
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4920
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4104
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4336 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4908
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5084 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4360
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4588
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4920
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4416
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4796
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4376
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4568
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4972
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4744
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5080
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3108 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4232
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4780 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4972
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4336 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4236 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4588
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4788
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4976
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4596
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5124
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5256
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5332
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5572
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5588
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5612
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5628
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5756
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5784
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5736
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2636
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
56KB
MD5bd72dcf1083b6e22ccbfa0e8e27fb1e0
SHA13fd23d4f14da768da7b8364d74c54932d704e74e
SHA25690f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1
SHA51272360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562
-
Filesize
2.6MB
MD5121bb48932bdd425f5e3828ceddacd81
SHA19ae6b38d0b6d41cd09f16697de2e19c55bfd0b07
SHA2568824395de314cbf2abc3fb28a41453e63b339425b3ff5fbc6017bca690e40881
SHA51234d4fddc3064ca9d7c98cf6cd3fe11ce1b88b1dcb4d93287ba971ae6cc0ff031412611b149b1e2fb7a097f3db43dc26f3e2683284df452d673c99113e59790d4
-
Filesize
2.6MB
MD5eb16f8a67331cd5dada22140b17d23f7
SHA195aa677d87903007ac87f6ef1d72e79aac034b47
SHA256826c8137662232c36ca4e3145b4d98decb9f4de45c58e9713eea0cdfbd29ff67
SHA5128836067451350c5943db58163416f92afc2b9869828687bf00b3168746d9a2ca0d32cfd039dbb9ae0bf440f51c79e9ed6aab0118b782cdb601fe51648e01c359