Analysis
-
max time kernel
81s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 14:21
Behavioral task
behavioral1
Sample
a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
a0fae610cdb3766ce807214fc32dfc0e
-
SHA1
20d9f1aae79bb3b3f60ac15a4a0df3b9976ab9e0
-
SHA256
6901d3b9a45e81ed9863962ac6883a4a9b56005f9beef23c7299eca2961ed94a
-
SHA512
c41bca9a00a1a22f380dc4763296b8b97d7efccbecd66141092726bcfa017a0a57f8ee1e239477cbe11078cd08ff056bf946612e2a9667f95e0dd5bf62f91369
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlp:86SIROiFJiwp0xlrlp
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2448 explorer.exe 2740 explorer.exe 2788 explorer.exe 1652 spoolsv.exe 2264 spoolsv.exe 2076 spoolsv.exe 932 spoolsv.exe 692 spoolsv.exe 616 spoolsv.exe 3032 spoolsv.exe 904 spoolsv.exe 740 spoolsv.exe 2364 spoolsv.exe 2844 spoolsv.exe 1428 spoolsv.exe 2640 spoolsv.exe 1920 spoolsv.exe 2744 spoolsv.exe 2748 spoolsv.exe 1536 spoolsv.exe 2796 spoolsv.exe 1640 spoolsv.exe 1720 spoolsv.exe 2920 spoolsv.exe 584 spoolsv.exe 1216 spoolsv.exe 1488 spoolsv.exe 1228 spoolsv.exe 3048 spoolsv.exe 2096 spoolsv.exe 1208 spoolsv.exe 1600 spoolsv.exe 2648 spoolsv.exe 2704 spoolsv.exe 2800 spoolsv.exe 2448 spoolsv.exe 2732 spoolsv.exe 1536 spoolsv.exe 2952 spoolsv.exe 488 spoolsv.exe 940 spoolsv.exe 1820 spoolsv.exe 2424 spoolsv.exe 588 spoolsv.exe 1612 spoolsv.exe 2872 spoolsv.exe 3008 spoolsv.exe 2036 spoolsv.exe 2588 spoolsv.exe 2560 spoolsv.exe 2452 spoolsv.exe 1320 spoolsv.exe 2908 spoolsv.exe 540 spoolsv.exe 1440 spoolsv.exe 1624 spoolsv.exe 1792 spoolsv.exe 2028 spoolsv.exe 1016 spoolsv.exe 2388 spoolsv.exe 2576 spoolsv.exe 2168 spoolsv.exe 2484 spoolsv.exe 2744 spoolsv.exe -
Loads dropped DLL 64 IoCs
Processes:
a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2608 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe 2608 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe 2788 explorer.exe 2788 explorer.exe 1652 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 2076 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 692 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 3032 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 740 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 2844 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 2640 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 2744 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 1536 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 1640 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 2920 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 1216 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 1228 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 2096 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 1600 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 2704 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 2448 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 1536 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 488 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 1820 spoolsv.exe 2788 explorer.exe 2788 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exea0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 2372 set thread context of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 1184 set thread context of 2608 1184 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2448 set thread context of 2740 2448 explorer.exe explorer.exe PID 2740 set thread context of 2788 2740 explorer.exe explorer.exe PID 1652 set thread context of 2264 1652 spoolsv.exe spoolsv.exe PID 2076 set thread context of 932 2076 spoolsv.exe spoolsv.exe PID 692 set thread context of 616 692 spoolsv.exe spoolsv.exe PID 3032 set thread context of 904 3032 spoolsv.exe spoolsv.exe PID 740 set thread context of 2364 740 spoolsv.exe spoolsv.exe PID 2640 set thread context of 1920 2640 spoolsv.exe spoolsv.exe PID 2744 set thread context of 2748 2744 spoolsv.exe spoolsv.exe PID 1536 set thread context of 2796 1536 spoolsv.exe spoolsv.exe PID 1640 set thread context of 1720 1640 spoolsv.exe spoolsv.exe PID 2920 set thread context of 584 2920 spoolsv.exe spoolsv.exe PID 1216 set thread context of 1488 1216 spoolsv.exe spoolsv.exe PID 1228 set thread context of 3048 1228 spoolsv.exe spoolsv.exe PID 2096 set thread context of 1208 2096 spoolsv.exe spoolsv.exe PID 1600 set thread context of 2648 1600 spoolsv.exe spoolsv.exe PID 2704 set thread context of 2800 2704 spoolsv.exe spoolsv.exe PID 2448 set thread context of 2732 2448 spoolsv.exe spoolsv.exe PID 1536 set thread context of 2952 1536 spoolsv.exe spoolsv.exe PID 488 set thread context of 940 488 spoolsv.exe spoolsv.exe PID 1820 set thread context of 2424 1820 spoolsv.exe spoolsv.exe PID 588 set thread context of 1612 588 spoolsv.exe spoolsv.exe PID 2872 set thread context of 3008 2872 spoolsv.exe spoolsv.exe PID 2036 set thread context of 2588 2036 spoolsv.exe spoolsv.exe PID 2560 set thread context of 2452 2560 spoolsv.exe spoolsv.exe PID 1320 set thread context of 2908 1320 spoolsv.exe spoolsv.exe PID 540 set thread context of 1440 540 spoolsv.exe spoolsv.exe PID 1624 set thread context of 1792 1624 spoolsv.exe spoolsv.exe PID 2028 set thread context of 1016 2028 spoolsv.exe spoolsv.exe PID 2388 set thread context of 2576 2388 spoolsv.exe spoolsv.exe PID 2168 set thread context of 2484 2168 spoolsv.exe spoolsv.exe PID 2744 set thread context of 1688 2744 spoolsv.exe spoolsv.exe PID 2724 set thread context of 2244 2724 spoolsv.exe spoolsv.exe PID 1456 set thread context of 412 1456 spoolsv.exe spoolsv.exe PID 884 set thread context of 1884 884 spoolsv.exe spoolsv.exe PID 1692 set thread context of 2316 1692 spoolsv.exe spoolsv.exe PID 2204 set thread context of 2604 2204 spoolsv.exe spoolsv.exe PID 2504 set thread context of 2832 2504 spoolsv.exe spoolsv.exe PID 2128 set thread context of 1876 2128 spoolsv.exe spoolsv.exe PID 1068 set thread context of 1828 1068 spoolsv.exe spoolsv.exe PID 884 set thread context of 2396 884 spoolsv.exe spoolsv.exe PID 2592 set thread context of 2088 2592 spoolsv.exe spoolsv.exe PID 2924 set thread context of 1328 2924 spoolsv.exe spoolsv.exe PID 2724 set thread context of 540 2724 spoolsv.exe spoolsv.exe PID 1140 set thread context of 1152 1140 spoolsv.exe spoolsv.exe PID 2356 set thread context of 2388 2356 spoolsv.exe spoolsv.exe PID 2444 set thread context of 2020 2444 spoolsv.exe spoolsv.exe PID 848 set thread context of 1864 848 spoolsv.exe spoolsv.exe PID 876 set thread context of 2992 876 spoolsv.exe spoolsv.exe PID 884 set thread context of 2224 884 spoolsv.exe spoolsv.exe PID 2592 set thread context of 1520 2592 spoolsv.exe spoolsv.exe PID 2016 set thread context of 488 2016 spoolsv.exe spoolsv.exe PID 1060 set thread context of 1532 1060 spoolsv.exe spoolsv.exe PID 2852 set thread context of 2464 2852 spoolsv.exe spoolsv.exe PID 812 set thread context of 1164 812 spoolsv.exe spoolsv.exe PID 2300 set thread context of 1608 2300 spoolsv.exe spoolsv.exe PID 3020 set thread context of 2404 3020 spoolsv.exe spoolsv.exe PID 2016 set thread context of 2008 2016 spoolsv.exe spoolsv.exe PID 2500 set thread context of 2940 2500 spoolsv.exe spoolsv.exe PID 1348 set thread context of 1404 1348 spoolsv.exe spoolsv.exe PID 1696 set thread context of 2204 1696 spoolsv.exe spoolsv.exe PID 268 set thread context of 1348 268 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exeexplorer.exepid process 2608 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe 2788 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2788 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exea0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe 2608 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe 2608 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe 2448 explorer.exe 2788 explorer.exe 2788 explorer.exe 1652 spoolsv.exe 2788 explorer.exe 2788 explorer.exe 2076 spoolsv.exe 692 spoolsv.exe 3032 spoolsv.exe 740 spoolsv.exe 2640 spoolsv.exe 2744 spoolsv.exe 1536 spoolsv.exe 1640 spoolsv.exe 2920 spoolsv.exe 1216 spoolsv.exe 1228 spoolsv.exe 2096 spoolsv.exe 1600 spoolsv.exe 2704 spoolsv.exe 2448 spoolsv.exe 1536 spoolsv.exe 488 spoolsv.exe 1820 spoolsv.exe 588 spoolsv.exe 2872 spoolsv.exe 2036 spoolsv.exe 2560 spoolsv.exe 1320 spoolsv.exe 540 spoolsv.exe 1624 spoolsv.exe 2028 spoolsv.exe 2388 spoolsv.exe 2168 spoolsv.exe 2744 spoolsv.exe 2724 spoolsv.exe 1456 spoolsv.exe 884 spoolsv.exe 1692 spoolsv.exe 2204 spoolsv.exe 2504 spoolsv.exe 2128 spoolsv.exe 1068 spoolsv.exe 884 spoolsv.exe 2592 spoolsv.exe 2924 spoolsv.exe 2724 spoolsv.exe 1140 spoolsv.exe 2356 spoolsv.exe 2444 spoolsv.exe 848 spoolsv.exe 876 spoolsv.exe 884 spoolsv.exe 2592 spoolsv.exe 2016 spoolsv.exe 1060 spoolsv.exe 2852 spoolsv.exe 812 spoolsv.exe 2300 spoolsv.exe 3020 spoolsv.exe 2016 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exea0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exea0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exedescription pid process target process PID 2372 wrote to memory of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2372 wrote to memory of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2372 wrote to memory of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2372 wrote to memory of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2372 wrote to memory of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2372 wrote to memory of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2372 wrote to memory of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2372 wrote to memory of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2372 wrote to memory of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2372 wrote to memory of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2372 wrote to memory of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2372 wrote to memory of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2372 wrote to memory of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2372 wrote to memory of 1184 2372 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 1184 wrote to memory of 1736 1184 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe splwow64.exe PID 1184 wrote to memory of 1736 1184 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe splwow64.exe PID 1184 wrote to memory of 1736 1184 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe splwow64.exe PID 1184 wrote to memory of 1736 1184 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe splwow64.exe PID 1184 wrote to memory of 2608 1184 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 1184 wrote to memory of 2608 1184 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 1184 wrote to memory of 2608 1184 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 1184 wrote to memory of 2608 1184 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 1184 wrote to memory of 2608 1184 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 1184 wrote to memory of 2608 1184 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe PID 2608 wrote to memory of 2448 2608 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe explorer.exe PID 2608 wrote to memory of 2448 2608 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe explorer.exe PID 2608 wrote to memory of 2448 2608 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe explorer.exe PID 2608 wrote to memory of 2448 2608 a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe explorer.exe PID 2448 wrote to memory of 2740 2448 explorer.exe explorer.exe PID 2448 wrote to memory of 2740 2448 explorer.exe explorer.exe PID 2448 wrote to memory of 2740 2448 explorer.exe explorer.exe PID 2448 wrote to memory of 2740 2448 explorer.exe explorer.exe PID 2448 wrote to memory of 2740 2448 explorer.exe explorer.exe PID 2448 wrote to memory of 2740 2448 explorer.exe explorer.exe PID 2448 wrote to memory of 2740 2448 explorer.exe explorer.exe PID 2448 wrote to memory of 2740 2448 explorer.exe explorer.exe PID 2448 wrote to memory of 2740 2448 explorer.exe explorer.exe PID 2448 wrote to memory of 2740 2448 explorer.exe explorer.exe PID 2448 wrote to memory of 2740 2448 explorer.exe explorer.exe PID 2448 wrote to memory of 2740 2448 explorer.exe explorer.exe PID 2448 wrote to memory of 2740 2448 explorer.exe explorer.exe PID 2448 wrote to memory of 2740 2448 explorer.exe explorer.exe PID 2740 wrote to memory of 2788 2740 explorer.exe explorer.exe PID 2740 wrote to memory of 2788 2740 explorer.exe explorer.exe PID 2740 wrote to memory of 2788 2740 explorer.exe explorer.exe PID 2740 wrote to memory of 2788 2740 explorer.exe explorer.exe PID 2740 wrote to memory of 2788 2740 explorer.exe explorer.exe PID 2740 wrote to memory of 2788 2740 explorer.exe explorer.exe PID 2788 wrote to memory of 1652 2788 explorer.exe spoolsv.exe PID 2788 wrote to memory of 1652 2788 explorer.exe spoolsv.exe PID 2788 wrote to memory of 1652 2788 explorer.exe spoolsv.exe PID 2788 wrote to memory of 1652 2788 explorer.exe spoolsv.exe PID 1652 wrote to memory of 2264 1652 spoolsv.exe spoolsv.exe PID 1652 wrote to memory of 2264 1652 spoolsv.exe spoolsv.exe PID 1652 wrote to memory of 2264 1652 spoolsv.exe spoolsv.exe PID 1652 wrote to memory of 2264 1652 spoolsv.exe spoolsv.exe PID 1652 wrote to memory of 2264 1652 spoolsv.exe spoolsv.exe PID 1652 wrote to memory of 2264 1652 spoolsv.exe spoolsv.exe PID 1652 wrote to memory of 2264 1652 spoolsv.exe spoolsv.exe PID 1652 wrote to memory of 2264 1652 spoolsv.exe spoolsv.exe PID 1652 wrote to memory of 2264 1652 spoolsv.exe spoolsv.exe PID 1652 wrote to memory of 2264 1652 spoolsv.exe spoolsv.exe PID 1652 wrote to memory of 2264 1652 spoolsv.exe spoolsv.exe PID 1652 wrote to memory of 2264 1652 spoolsv.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a0fae610cdb3766ce807214fc32dfc0e_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2448 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2740 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2264 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5488
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2076 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:932 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5768
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵PID:5552
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:5168
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:692 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8660
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3032 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:904 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8364
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:740 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2364 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1428 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2640 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1920 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2748 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6600
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2796 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1640 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1720 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6608
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2920 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:584 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:9128
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1216 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1488 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1228 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:3048 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:9088
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2096 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1208 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:9076
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1600 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2648 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8524
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2704 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2800 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7828
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2448 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2732 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8688
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2952 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:488 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:940 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6184
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1820 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2424 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8504
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:588 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1612 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2872 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:3008 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:9120
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2588 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2560 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2452 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1320 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2908 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:540 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1440 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2412
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1624 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1792 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2028 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1016 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2388 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2576 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6564
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2168 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2484 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1688
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7428
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2724 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2244
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1456 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:412
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:884 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1884
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1692 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2316
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6592
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2204 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2604
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:9104
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2504 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2832
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2128 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1876 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7676
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1068 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1828
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:884 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2396
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6276
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2088
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2924 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1328
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2724 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:540
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1140 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1152
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2356 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2388
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2444 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2020
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:848 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:876 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2992
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:884 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2224
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1520
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6932
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2016 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:488
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1060 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1532
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2852 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2464
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:812 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1164
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2300 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1608
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3020 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2404
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2016 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2008
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7796
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2500 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2940
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1348 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1404
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:1696 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2204
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:268 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1348
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1576
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2504
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:952
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2912
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7324
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1600
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2724
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6416
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2116
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1676
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:812
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1948 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8696
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1140
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2704 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8728
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3012 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1756
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1416
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1180
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1680
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3028
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8740
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2436
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:452
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:268
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1760
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2880
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3108
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3192
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3268
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7644
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3356
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3392
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3496
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3604
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3640
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3748
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3784
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8648
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3872
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3952
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4076
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2436
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8596
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3180
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3224
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8668
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3376
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3428
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6228
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3576 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3628
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7264
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3764
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3812 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3928
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3964
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8044
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1680
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3088
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3200
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3236
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3388
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3440
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3584
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3796
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3888
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3936 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4064
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2564
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3196
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8572
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3360
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3692
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3752
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3856
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3896
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4032 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3076
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3188
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3324
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3492
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3588
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3848
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3840
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3092
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3156
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3368
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3452
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3648
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3792
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3848 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4016
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3092
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3208 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3376
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3492
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3916
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4028
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1072
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3092
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3472
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3700 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3928
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3148 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3300
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3376
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3872 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3216
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3148
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3568
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3712
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2668
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3380
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3780 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3488 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3336 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3620 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4076
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3120
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3724
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3796
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8680
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1072
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:1680 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4008
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3960
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1072
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8764
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:1680 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2092
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3136
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3172
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3576
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3336
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:1680 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3860
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1680
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4140
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4244 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4300
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4428
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4464
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4552
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4628
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4716
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4792 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4844
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4984
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5064
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3836
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4176
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4228
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4332
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4520
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4600
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4680
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4784
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8248
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4880
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4960
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5084
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3576 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4184
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4288
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4388
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4424
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4544
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4624
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4768 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4980 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:5012 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5084
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4220
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:9112
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4376
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4444
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4564
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4696
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4936
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4940
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3144 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4164
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4212 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4372
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4576
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4688
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4760
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4972
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3960
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4152
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4396
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4532
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8532
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4752
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4896 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5028
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5044
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4284
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4368
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4492
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4676 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4800
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5080
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4264
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4284
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4396 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4816
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4900
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4148
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4256
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4512
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4764
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4848
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4188
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4380
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4656
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4968
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8756
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4312
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4360
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4884 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4780
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4352
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4752
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:9144
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5100
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4396
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4200
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4516
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4264 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4884
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4936
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4776
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4800
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4392
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2188
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4416
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4892
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5100
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4892
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4264
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8548
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4188
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5140
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5264
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5324
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8712
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5392 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5468
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5552
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5652
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5720
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:5756 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5864 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5900
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:9096
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5988
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6048
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:6132 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5188
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5236
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5360
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5392
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5516
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5552
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5732
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5852
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5868
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:6056 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:6096 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5148
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5248
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5420
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:5476 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5584
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5740
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5808
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5908
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5996
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5988
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6140
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6132
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8640
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5356
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5432
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5564
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5704
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5928
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5956
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:8752
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:6124 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5136
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5260
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5292
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5664 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5632
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5844 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5848
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5996
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5224
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5296 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5492
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5676
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5812
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5948
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6072
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5216 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5344
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5488
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:5296 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5680
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5832
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6028
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5844
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5400
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5648
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5584
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5884
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5976
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6104
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6028
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9164
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8136
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8588
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
56KB
MD5bd72dcf1083b6e22ccbfa0e8e27fb1e0
SHA13fd23d4f14da768da7b8364d74c54932d704e74e
SHA25690f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1
SHA51272360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562
-
Filesize
2.6MB
MD511de14f877007aa1e47de1297baf8c33
SHA163fcdd445511696fa7ef3d3ed1357c87e000bcaf
SHA2563d94a6387363c440fa293ed572e6d62489725ba5de2b11e1f6f858e9cf89b1cd
SHA51216902c18fa5ce90f8b6a3a6c7f687a2628a2db40f6ba4357d69201c02d412a61b20784709326065293a14f10d74351e90ce41cbdc39009ee3e5a0c5ced31dec8
-
Filesize
2.6MB
MD58c06dd33fb5a87d5d9c5d461894c5ca6
SHA183ec973183c56d47e4f7118ee4dbe6cc3432debc
SHA2567175412e2ad6f8d9c79908149338d919344e1d5d5bc9ade23bc2035171875b6e
SHA512f1513c77b8fb704096d0beeb4254632d5556c92451f208af5ae6dee8da025d32cdd84dba9f53b339204edaa8a57c43084730a9ac08b11373d2bf4d79eed8be49