Analysis
-
max time kernel
79s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 15:45
Behavioral task
behavioral1
Sample
a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
a13462e9f2e10d9c654cdd9e282ae7b4
-
SHA1
d4a6af1acfc6d66d6302cb59f2cc1fd8284721bc
-
SHA256
996112081ca765aedf3318f2786ec59cfcdd79547696189149b1514ab58f8732
-
SHA512
736d955ae1c794d39ea47238e741f896fb2035559c9842ebb5e8527a29506ecbcaeba4a4382dcf74dc8bcd91a981172c3b5fb761f50d2989ed0456ec661a4266
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrld:86SIROiFJiwp0xlrld
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2540 explorer.exe 2924 explorer.exe 1456 explorer.exe 1928 spoolsv.exe 2960 spoolsv.exe 2296 spoolsv.exe 1660 spoolsv.exe 2852 spoolsv.exe 2112 spoolsv.exe 1608 spoolsv.exe 672 spoolsv.exe 2208 spoolsv.exe 1720 spoolsv.exe 2848 spoolsv.exe 2612 spoolsv.exe 2356 spoolsv.exe 1556 spoolsv.exe 108 spoolsv.exe 1464 spoolsv.exe 2648 spoolsv.exe 2536 spoolsv.exe 1544 spoolsv.exe 1988 spoolsv.exe 804 spoolsv.exe 2064 spoolsv.exe 2372 spoolsv.exe 2072 spoolsv.exe 1060 spoolsv.exe 1284 spoolsv.exe 2956 spoolsv.exe 868 spoolsv.exe 2900 spoolsv.exe 2104 spoolsv.exe 2704 spoolsv.exe 2660 spoolsv.exe 2640 spoolsv.exe 2504 spoolsv.exe 2400 spoolsv.exe 2384 spoolsv.exe 2116 spoolsv.exe 388 spoolsv.exe 2036 spoolsv.exe 1092 spoolsv.exe 2280 spoolsv.exe 2428 spoolsv.exe 1688 spoolsv.exe 2836 spoolsv.exe 2788 spoolsv.exe 2516 spoolsv.exe 2544 spoolsv.exe 1996 spoolsv.exe 2412 spoolsv.exe 620 spoolsv.exe 816 spoolsv.exe 2116 spoolsv.exe 1172 spoolsv.exe 2372 spoolsv.exe 744 spoolsv.exe 1768 spoolsv.exe 2032 spoolsv.exe 2684 spoolsv.exe 2540 spoolsv.exe 2908 spoolsv.exe 2140 spoolsv.exe -
Loads dropped DLL 64 IoCs
Processes:
a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2604 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe 2604 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe 1456 explorer.exe 1456 explorer.exe 1928 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2296 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2852 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 1608 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2208 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2848 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2356 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 108 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2648 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 1544 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 804 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2372 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 1060 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2956 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2900 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2704 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2640 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2400 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2116 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2036 spoolsv.exe 1456 explorer.exe 1456 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exea13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 1752 set thread context of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 3040 set thread context of 2604 3040 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 2540 set thread context of 2924 2540 explorer.exe explorer.exe PID 2924 set thread context of 1456 2924 explorer.exe explorer.exe PID 1928 set thread context of 2960 1928 spoolsv.exe spoolsv.exe PID 2296 set thread context of 1660 2296 spoolsv.exe spoolsv.exe PID 2852 set thread context of 2112 2852 spoolsv.exe spoolsv.exe PID 1608 set thread context of 672 1608 spoolsv.exe spoolsv.exe PID 2208 set thread context of 1720 2208 spoolsv.exe spoolsv.exe PID 2848 set thread context of 2612 2848 spoolsv.exe spoolsv.exe PID 2356 set thread context of 1556 2356 spoolsv.exe spoolsv.exe PID 108 set thread context of 1464 108 spoolsv.exe spoolsv.exe PID 2648 set thread context of 2536 2648 spoolsv.exe spoolsv.exe PID 1544 set thread context of 1988 1544 spoolsv.exe spoolsv.exe PID 804 set thread context of 2064 804 spoolsv.exe spoolsv.exe PID 2372 set thread context of 2072 2372 spoolsv.exe spoolsv.exe PID 1060 set thread context of 1284 1060 spoolsv.exe spoolsv.exe PID 2956 set thread context of 868 2956 spoolsv.exe spoolsv.exe PID 2900 set thread context of 2104 2900 spoolsv.exe spoolsv.exe PID 2704 set thread context of 2660 2704 spoolsv.exe spoolsv.exe PID 2640 set thread context of 2504 2640 spoolsv.exe spoolsv.exe PID 2400 set thread context of 2384 2400 spoolsv.exe spoolsv.exe PID 2116 set thread context of 388 2116 spoolsv.exe spoolsv.exe PID 2036 set thread context of 1092 2036 spoolsv.exe spoolsv.exe PID 2280 set thread context of 2428 2280 spoolsv.exe spoolsv.exe PID 1688 set thread context of 2836 1688 spoolsv.exe spoolsv.exe PID 2788 set thread context of 2516 2788 spoolsv.exe spoolsv.exe PID 2544 set thread context of 1996 2544 spoolsv.exe spoolsv.exe PID 2412 set thread context of 620 2412 spoolsv.exe spoolsv.exe PID 816 set thread context of 2116 816 spoolsv.exe spoolsv.exe PID 1172 set thread context of 2372 1172 spoolsv.exe spoolsv.exe PID 744 set thread context of 1768 744 spoolsv.exe spoolsv.exe PID 2032 set thread context of 2684 2032 spoolsv.exe spoolsv.exe PID 2540 set thread context of 2908 2540 spoolsv.exe spoolsv.exe PID 2140 set thread context of 1736 2140 spoolsv.exe spoolsv.exe PID 1740 set thread context of 2820 1740 spoolsv.exe spoolsv.exe PID 1524 set thread context of 2236 1524 spoolsv.exe spoolsv.exe PID 2220 set thread context of 1752 2220 spoolsv.exe spoolsv.exe PID 2224 set thread context of 2708 2224 spoolsv.exe spoolsv.exe PID 1188 set thread context of 2544 1188 spoolsv.exe spoolsv.exe PID 2004 set thread context of 1708 2004 spoolsv.exe spoolsv.exe PID 2328 set thread context of 2300 2328 spoolsv.exe spoolsv.exe PID 1112 set thread context of 1616 1112 spoolsv.exe spoolsv.exe PID 2068 set thread context of 2472 2068 spoolsv.exe spoolsv.exe PID 2184 set thread context of 1096 2184 spoolsv.exe spoolsv.exe PID 1084 set thread context of 1276 1084 spoolsv.exe spoolsv.exe PID 1536 set thread context of 2388 1536 spoolsv.exe spoolsv.exe PID 2312 set thread context of 1672 2312 spoolsv.exe spoolsv.exe PID 760 set thread context of 1180 760 spoolsv.exe spoolsv.exe PID 2400 set thread context of 688 2400 spoolsv.exe spoolsv.exe PID 1748 set thread context of 1604 1748 spoolsv.exe spoolsv.exe PID 1656 set thread context of 916 1656 spoolsv.exe spoolsv.exe PID 2068 set thread context of 2608 2068 spoolsv.exe spoolsv.exe PID 1648 set thread context of 2268 1648 spoolsv.exe spoolsv.exe PID 1140 set thread context of 1536 1140 spoolsv.exe spoolsv.exe PID 2704 set thread context of 1600 2704 spoolsv.exe spoolsv.exe PID 1924 set thread context of 2288 1924 spoolsv.exe spoolsv.exe PID 2496 set thread context of 1588 2496 spoolsv.exe spoolsv.exe PID 2572 set thread context of 2704 2572 spoolsv.exe spoolsv.exe PID 2408 set thread context of 2400 2408 spoolsv.exe spoolsv.exe PID 2276 set thread context of 804 2276 spoolsv.exe spoolsv.exe PID 2664 set thread context of 2876 2664 spoolsv.exe spoolsv.exe PID 768 set thread context of 2092 768 spoolsv.exe spoolsv.exe PID 2600 set thread context of 2696 2600 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exeexplorer.exepid process 2604 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe 1456 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1456 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exea13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe 2604 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe 2604 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe 2540 explorer.exe 1456 explorer.exe 1456 explorer.exe 1928 spoolsv.exe 1456 explorer.exe 1456 explorer.exe 2296 spoolsv.exe 2852 spoolsv.exe 1608 spoolsv.exe 2208 spoolsv.exe 2848 spoolsv.exe 2356 spoolsv.exe 108 spoolsv.exe 2648 spoolsv.exe 1544 spoolsv.exe 804 spoolsv.exe 2372 spoolsv.exe 1060 spoolsv.exe 2956 spoolsv.exe 2900 spoolsv.exe 2704 spoolsv.exe 2640 spoolsv.exe 2400 spoolsv.exe 2116 spoolsv.exe 2036 spoolsv.exe 2280 spoolsv.exe 1688 spoolsv.exe 2788 spoolsv.exe 2544 spoolsv.exe 2412 spoolsv.exe 816 spoolsv.exe 1172 spoolsv.exe 744 spoolsv.exe 2032 spoolsv.exe 2540 spoolsv.exe 2140 spoolsv.exe 1740 spoolsv.exe 1524 spoolsv.exe 2220 spoolsv.exe 2224 spoolsv.exe 1188 spoolsv.exe 2004 spoolsv.exe 2328 spoolsv.exe 1112 spoolsv.exe 2068 spoolsv.exe 2184 spoolsv.exe 1084 spoolsv.exe 1536 spoolsv.exe 2312 spoolsv.exe 760 spoolsv.exe 2400 spoolsv.exe 1748 spoolsv.exe 1656 spoolsv.exe 2068 spoolsv.exe 1648 spoolsv.exe 1140 spoolsv.exe 2704 spoolsv.exe 1924 spoolsv.exe 2496 spoolsv.exe 2572 spoolsv.exe 2408 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exea13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exea13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exedescription pid process target process PID 1752 wrote to memory of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 1752 wrote to memory of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 1752 wrote to memory of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 1752 wrote to memory of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 1752 wrote to memory of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 1752 wrote to memory of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 1752 wrote to memory of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 1752 wrote to memory of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 1752 wrote to memory of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 1752 wrote to memory of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 1752 wrote to memory of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 1752 wrote to memory of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 1752 wrote to memory of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 1752 wrote to memory of 3040 1752 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 3040 wrote to memory of 2968 3040 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe splwow64.exe PID 3040 wrote to memory of 2968 3040 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe splwow64.exe PID 3040 wrote to memory of 2968 3040 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe splwow64.exe PID 3040 wrote to memory of 2968 3040 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe splwow64.exe PID 3040 wrote to memory of 2604 3040 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 3040 wrote to memory of 2604 3040 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 3040 wrote to memory of 2604 3040 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 3040 wrote to memory of 2604 3040 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 3040 wrote to memory of 2604 3040 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 3040 wrote to memory of 2604 3040 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe PID 2604 wrote to memory of 2540 2604 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe explorer.exe PID 2604 wrote to memory of 2540 2604 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe explorer.exe PID 2604 wrote to memory of 2540 2604 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe explorer.exe PID 2604 wrote to memory of 2540 2604 a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe explorer.exe PID 2540 wrote to memory of 2924 2540 explorer.exe explorer.exe PID 2540 wrote to memory of 2924 2540 explorer.exe explorer.exe PID 2540 wrote to memory of 2924 2540 explorer.exe explorer.exe PID 2540 wrote to memory of 2924 2540 explorer.exe explorer.exe PID 2540 wrote to memory of 2924 2540 explorer.exe explorer.exe PID 2540 wrote to memory of 2924 2540 explorer.exe explorer.exe PID 2540 wrote to memory of 2924 2540 explorer.exe explorer.exe PID 2540 wrote to memory of 2924 2540 explorer.exe explorer.exe PID 2540 wrote to memory of 2924 2540 explorer.exe explorer.exe PID 2540 wrote to memory of 2924 2540 explorer.exe explorer.exe PID 2540 wrote to memory of 2924 2540 explorer.exe explorer.exe PID 2540 wrote to memory of 2924 2540 explorer.exe explorer.exe PID 2540 wrote to memory of 2924 2540 explorer.exe explorer.exe PID 2540 wrote to memory of 2924 2540 explorer.exe explorer.exe PID 2924 wrote to memory of 1456 2924 explorer.exe explorer.exe PID 2924 wrote to memory of 1456 2924 explorer.exe explorer.exe PID 2924 wrote to memory of 1456 2924 explorer.exe explorer.exe PID 2924 wrote to memory of 1456 2924 explorer.exe explorer.exe PID 2924 wrote to memory of 1456 2924 explorer.exe explorer.exe PID 2924 wrote to memory of 1456 2924 explorer.exe explorer.exe PID 1456 wrote to memory of 1928 1456 explorer.exe spoolsv.exe PID 1456 wrote to memory of 1928 1456 explorer.exe spoolsv.exe PID 1456 wrote to memory of 1928 1456 explorer.exe spoolsv.exe PID 1456 wrote to memory of 1928 1456 explorer.exe spoolsv.exe PID 1928 wrote to memory of 2960 1928 spoolsv.exe spoolsv.exe PID 1928 wrote to memory of 2960 1928 spoolsv.exe spoolsv.exe PID 1928 wrote to memory of 2960 1928 spoolsv.exe spoolsv.exe PID 1928 wrote to memory of 2960 1928 spoolsv.exe spoolsv.exe PID 1928 wrote to memory of 2960 1928 spoolsv.exe spoolsv.exe PID 1928 wrote to memory of 2960 1928 spoolsv.exe spoolsv.exe PID 1928 wrote to memory of 2960 1928 spoolsv.exe spoolsv.exe PID 1928 wrote to memory of 2960 1928 spoolsv.exe spoolsv.exe PID 1928 wrote to memory of 2960 1928 spoolsv.exe spoolsv.exe PID 1928 wrote to memory of 2960 1928 spoolsv.exe spoolsv.exe PID 1928 wrote to memory of 2960 1928 spoolsv.exe spoolsv.exe PID 1928 wrote to memory of 2960 1928 spoolsv.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a13462e9f2e10d9c654cdd9e282ae7b4_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2924 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2960 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3596
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵PID:3664
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:3808
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2296 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1660 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4020
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2852 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2112 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3304
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵PID:3296
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:3500
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1608 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:672 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3516
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2208 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1720 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1900
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵PID:3208
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:3872
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2848 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2612 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3736
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵PID:1136
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:3080
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2356 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1556 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4772
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:108 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1464 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3228
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2648 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1544 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4564
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:804 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2064 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2372 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2072 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1060 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1284 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2956 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:868 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2900 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2104 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4208
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2704 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2660 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4044
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2640 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2504 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4608
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2400 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2384 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2116 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:388 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1092 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2280 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2428 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2884
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1688 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2836 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3464
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2788 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2516 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2544 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1996 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2412 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:620 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:816 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2116 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1172 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2372 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5096
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:744 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1768 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2032 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2684 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2540 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2908 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2140 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1736 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1740 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2820
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1524 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2236
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2920
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2220 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1752
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4880
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2224 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1188 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2544 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4132
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2004 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2328 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2300 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4336
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵PID:4388
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:4008
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1112 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1616
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2068 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2472
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2184 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1096 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1084 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1276
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2388
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2312 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1672
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5004
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:760 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1180
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4848
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2400 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:688
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1748 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1604 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1372
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1656 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:916 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2068 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2608
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1648 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2268 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1140 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2704 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1600
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1924 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2288 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2496 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1588 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3432
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2572 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2704
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2408 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2400
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4332
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:2276 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:804 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:2664 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2876 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:768 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2092
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4632
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:2600 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2696
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:660 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2276
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2496
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1908
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2184
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:768
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4384
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1900
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1612
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:760
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:568
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1152
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1892
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1440
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1240
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2700
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:760
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:660
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5024
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1240
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:760
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1044
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:884
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2184
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1656
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3388
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2316
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:872
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1468
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1740
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2412
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1240
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4988
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2788
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2420
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3152
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3212
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3292
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3396
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5088
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3516
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3600
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3700
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3824
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3868
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3960
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3984
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4072
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3132
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3244
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3280
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3408
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3464
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3484
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3264
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3644
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3712
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3704
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3912
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4952
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3972
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4048
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2448
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1748
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4220
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3092
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3128
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4668
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3240
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3340
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3384
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3420
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3580
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3680
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3656
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3812
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3872
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4024
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4080
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3172
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3444
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3536
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3744
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3760
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3924
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3968
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3884
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3852
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4000
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3116
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3204
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3132
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3388
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3504
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3948
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4004
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3176
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2564
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3352
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3512
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3644
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3804
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3300
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3316
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3588
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5056
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4624
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4780
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4116
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
56KB
MD5bd72dcf1083b6e22ccbfa0e8e27fb1e0
SHA13fd23d4f14da768da7b8364d74c54932d704e74e
SHA25690f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1
SHA51272360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562
-
Filesize
2.6MB
MD5e2add02dd4b71b7958dbb3a07b78f6a9
SHA10ad431ea8acf14a49da6992d9ecea69f1bd1022c
SHA2560e261ec6c6bce45b4dc15d1cd4a5dc787b38bc53adef0506f61e84c930dce91a
SHA512f4b6b1c005c49e01f3da9001e9b70fe612cab3db3ba834c55e4e78cfbdf5e7ca6317a2435e223b0eeff2348a8c1c07578ffaf02903827065bb8324ffbb202cca
-
Filesize
2.6MB
MD57098f6e64df7f2af41a4e2edcd0a0523
SHA1252e7f24899eda8da1411d2d25901f845f2b0a7c
SHA256d3de75bc7e6ff02b7506ecfe49f803d34c8e42255bbfafb45a2dbb76d9ab030e
SHA512ce244882e3678bc2cd3a5f7a9415017dfad2d917ce1bf6dafa471535a92ed807304e29ea8ff434a26544248581c50480e257d5aa5e7b84aa7e6391c5eb37510d