Analysis
-
max time kernel
83s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 15:57
Behavioral task
behavioral1
Sample
a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
a13d5374adf400bf521dc004804d0abb
-
SHA1
334a6ee872fe49f5a98494c93aa39d99c50ee235
-
SHA256
5b8dc985ed17848aff0d4db08a593d28c4474b2839dafe607bffa09c7a72fe74
-
SHA512
2b9d10cadd94fe5533c1f095ed84f34f6eb5d9e8d8faf50f1b3bc2817872f8f9b000d7c951d6f69d27ffe2302b7495b9a151387f0113ca46b7df4714e4feae10
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlB:86SIROiFJiwp0xlrlB
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
Processes:
a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2492 explorer.exe 572 explorer.exe 304 explorer.exe 2484 spoolsv.exe 2844 spoolsv.exe 308 spoolsv.exe 2880 spoolsv.exe 568 spoolsv.exe 2088 spoolsv.exe 3056 spoolsv.exe 2312 spoolsv.exe 1360 spoolsv.exe 1628 spoolsv.exe 2240 spoolsv.exe 2632 spoolsv.exe 1324 spoolsv.exe 1264 spoolsv.exe 964 spoolsv.exe 2852 spoolsv.exe 2832 spoolsv.exe 2000 spoolsv.exe 1136 spoolsv.exe 2316 spoolsv.exe 2592 spoolsv.exe 2120 spoolsv.exe 2268 spoolsv.exe 1988 spoolsv.exe 1304 spoolsv.exe 1748 spoolsv.exe 3068 spoolsv.exe 1636 spoolsv.exe 2256 spoolsv.exe 2648 spoolsv.exe 2620 spoolsv.exe 2568 spoolsv.exe 1500 spoolsv.exe 2740 spoolsv.exe 1972 spoolsv.exe 1712 spoolsv.exe 684 spoolsv.exe 1688 spoolsv.exe 1644 spoolsv.exe 1828 spoolsv.exe 2780 spoolsv.exe 1632 spoolsv.exe 2624 spoolsv.exe 2800 spoolsv.exe 2540 spoolsv.exe 2984 spoolsv.exe 1012 spoolsv.exe 3008 spoolsv.exe 2168 spoolsv.exe 1416 spoolsv.exe 568 spoolsv.exe 1996 spoolsv.exe 1424 spoolsv.exe 908 spoolsv.exe 2956 spoolsv.exe 2108 spoolsv.exe 2636 spoolsv.exe 2756 spoolsv.exe 1924 spoolsv.exe 2868 spoolsv.exe 2212 spoolsv.exe -
Loads dropped DLL 64 IoCs
Processes:
a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2508 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe 2508 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe 304 explorer.exe 304 explorer.exe 2484 spoolsv.exe 304 explorer.exe 304 explorer.exe 308 spoolsv.exe 304 explorer.exe 304 explorer.exe 568 spoolsv.exe 304 explorer.exe 304 explorer.exe 3056 spoolsv.exe 304 explorer.exe 304 explorer.exe 1360 spoolsv.exe 304 explorer.exe 304 explorer.exe 2240 spoolsv.exe 304 explorer.exe 304 explorer.exe 1324 spoolsv.exe 304 explorer.exe 304 explorer.exe 964 spoolsv.exe 304 explorer.exe 304 explorer.exe 2832 spoolsv.exe 304 explorer.exe 304 explorer.exe 1136 spoolsv.exe 304 explorer.exe 304 explorer.exe 2592 spoolsv.exe 304 explorer.exe 304 explorer.exe 2268 spoolsv.exe 304 explorer.exe 304 explorer.exe 1304 spoolsv.exe 304 explorer.exe 304 explorer.exe 3068 spoolsv.exe 304 explorer.exe 304 explorer.exe 2256 spoolsv.exe 304 explorer.exe 304 explorer.exe 2620 spoolsv.exe 304 explorer.exe 304 explorer.exe 1500 spoolsv.exe 304 explorer.exe 304 explorer.exe 1972 spoolsv.exe 304 explorer.exe 304 explorer.exe 684 spoolsv.exe 304 explorer.exe 304 explorer.exe 1644 spoolsv.exe 304 explorer.exe 304 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exea13d5374adf400bf521dc004804d0abb_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription pid process target process PID 2240 set thread context of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 1520 set thread context of 2508 1520 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2492 set thread context of 572 2492 explorer.exe explorer.exe PID 572 set thread context of 304 572 explorer.exe explorer.exe PID 2484 set thread context of 2844 2484 spoolsv.exe spoolsv.exe PID 308 set thread context of 2880 308 spoolsv.exe spoolsv.exe PID 568 set thread context of 2088 568 spoolsv.exe spoolsv.exe PID 3056 set thread context of 2312 3056 spoolsv.exe spoolsv.exe PID 1360 set thread context of 1628 1360 spoolsv.exe spoolsv.exe PID 2240 set thread context of 2632 2240 spoolsv.exe spoolsv.exe PID 1324 set thread context of 1264 1324 spoolsv.exe spoolsv.exe PID 964 set thread context of 2852 964 spoolsv.exe spoolsv.exe PID 2832 set thread context of 2000 2832 spoolsv.exe spoolsv.exe PID 1136 set thread context of 2316 1136 spoolsv.exe spoolsv.exe PID 2592 set thread context of 2120 2592 spoolsv.exe spoolsv.exe PID 2268 set thread context of 1988 2268 spoolsv.exe spoolsv.exe PID 1304 set thread context of 1748 1304 spoolsv.exe spoolsv.exe PID 3068 set thread context of 1636 3068 spoolsv.exe spoolsv.exe PID 2256 set thread context of 2648 2256 spoolsv.exe spoolsv.exe PID 2620 set thread context of 2568 2620 spoolsv.exe spoolsv.exe PID 1500 set thread context of 2740 1500 spoolsv.exe spoolsv.exe PID 1972 set thread context of 1712 1972 spoolsv.exe spoolsv.exe PID 684 set thread context of 1688 684 spoolsv.exe spoolsv.exe PID 1644 set thread context of 1828 1644 spoolsv.exe spoolsv.exe PID 2780 set thread context of 1632 2780 spoolsv.exe spoolsv.exe PID 2624 set thread context of 2800 2624 spoolsv.exe spoolsv.exe PID 2540 set thread context of 2984 2540 spoolsv.exe spoolsv.exe PID 1012 set thread context of 3008 1012 spoolsv.exe spoolsv.exe PID 2168 set thread context of 1416 2168 spoolsv.exe spoolsv.exe PID 568 set thread context of 1996 568 spoolsv.exe spoolsv.exe PID 1424 set thread context of 908 1424 spoolsv.exe spoolsv.exe PID 2956 set thread context of 2108 2956 spoolsv.exe spoolsv.exe PID 2636 set thread context of 2756 2636 spoolsv.exe spoolsv.exe PID 1924 set thread context of 2868 1924 spoolsv.exe spoolsv.exe PID 2212 set thread context of 2812 2212 spoolsv.exe spoolsv.exe PID 2924 set thread context of 612 2924 spoolsv.exe spoolsv.exe PID 396 set thread context of 772 396 spoolsv.exe spoolsv.exe PID 2720 set thread context of 2752 2720 spoolsv.exe spoolsv.exe PID 2808 set thread context of 3012 2808 spoolsv.exe spoolsv.exe PID 1516 set thread context of 1608 1516 spoolsv.exe spoolsv.exe PID 1736 set thread context of 3056 1736 spoolsv.exe spoolsv.exe PID 108 set thread context of 1960 108 spoolsv.exe spoolsv.exe PID 1660 set thread context of 1504 1660 spoolsv.exe spoolsv.exe PID 2776 set thread context of 1512 2776 spoolsv.exe spoolsv.exe PID 1952 set thread context of 2332 1952 spoolsv.exe spoolsv.exe PID 1400 set thread context of 2268 1400 spoolsv.exe spoolsv.exe PID 3036 set thread context of 2728 3036 spoolsv.exe spoolsv.exe PID 2764 set thread context of 2552 2764 spoolsv.exe spoolsv.exe PID 2612 set thread context of 1676 2612 spoolsv.exe spoolsv.exe PID 2932 set thread context of 1568 2932 spoolsv.exe spoolsv.exe PID 1304 set thread context of 2424 1304 spoolsv.exe spoolsv.exe PID 2600 set thread context of 2892 2600 spoolsv.exe spoolsv.exe PID 2280 set thread context of 2996 2280 spoolsv.exe spoolsv.exe PID 780 set thread context of 1164 780 spoolsv.exe spoolsv.exe PID 2176 set thread context of 2136 2176 spoolsv.exe spoolsv.exe PID 2720 set thread context of 2876 2720 spoolsv.exe spoolsv.exe PID 2204 set thread context of 1784 2204 spoolsv.exe spoolsv.exe PID 1592 set thread context of 3036 1592 spoolsv.exe spoolsv.exe PID 2500 set thread context of 2584 2500 spoolsv.exe spoolsv.exe PID 2840 set thread context of 984 2840 spoolsv.exe spoolsv.exe PID 848 set thread context of 1640 848 spoolsv.exe spoolsv.exe PID 1708 set thread context of 1928 1708 spoolsv.exe spoolsv.exe PID 1052 set thread context of 916 1052 spoolsv.exe spoolsv.exe PID 1604 set thread context of 1760 1604 spoolsv.exe spoolsv.exe -
Drops file in Windows directory 64 IoCs
Processes:
spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea13d5374adf400bf521dc004804d0abb_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exeexplorer.exepid process 2508 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 304 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exea13d5374adf400bf521dc004804d0abb_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exepid process 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe 2508 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe 2508 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe 2492 explorer.exe 304 explorer.exe 304 explorer.exe 2484 spoolsv.exe 304 explorer.exe 304 explorer.exe 308 spoolsv.exe 568 spoolsv.exe 3056 spoolsv.exe 1360 spoolsv.exe 2240 spoolsv.exe 1324 spoolsv.exe 964 spoolsv.exe 2832 spoolsv.exe 1136 spoolsv.exe 2592 spoolsv.exe 2268 spoolsv.exe 1304 spoolsv.exe 3068 spoolsv.exe 2256 spoolsv.exe 2620 spoolsv.exe 1500 spoolsv.exe 1972 spoolsv.exe 684 spoolsv.exe 1644 spoolsv.exe 2780 spoolsv.exe 2624 spoolsv.exe 2540 spoolsv.exe 1012 spoolsv.exe 2168 spoolsv.exe 568 spoolsv.exe 1424 spoolsv.exe 2956 spoolsv.exe 2636 spoolsv.exe 1924 spoolsv.exe 2212 spoolsv.exe 2924 spoolsv.exe 396 spoolsv.exe 2720 spoolsv.exe 2808 spoolsv.exe 1516 spoolsv.exe 1736 spoolsv.exe 108 spoolsv.exe 1660 spoolsv.exe 2776 spoolsv.exe 1952 spoolsv.exe 1400 spoolsv.exe 3036 spoolsv.exe 2764 spoolsv.exe 2612 spoolsv.exe 2932 spoolsv.exe 1304 spoolsv.exe 2600 spoolsv.exe 2280 spoolsv.exe 780 spoolsv.exe 2176 spoolsv.exe 2720 spoolsv.exe 2204 spoolsv.exe 1592 spoolsv.exe 2500 spoolsv.exe 2840 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exea13d5374adf400bf521dc004804d0abb_JaffaCakes118.exea13d5374adf400bf521dc004804d0abb_JaffaCakes118.exeexplorer.exeexplorer.exeexplorer.exespoolsv.exedescription pid process target process PID 2240 wrote to memory of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2240 wrote to memory of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2240 wrote to memory of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2240 wrote to memory of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2240 wrote to memory of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2240 wrote to memory of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2240 wrote to memory of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2240 wrote to memory of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2240 wrote to memory of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2240 wrote to memory of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2240 wrote to memory of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2240 wrote to memory of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2240 wrote to memory of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2240 wrote to memory of 1520 2240 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 1520 wrote to memory of 2384 1520 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe splwow64.exe PID 1520 wrote to memory of 2384 1520 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe splwow64.exe PID 1520 wrote to memory of 2384 1520 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe splwow64.exe PID 1520 wrote to memory of 2384 1520 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe splwow64.exe PID 1520 wrote to memory of 2508 1520 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 1520 wrote to memory of 2508 1520 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 1520 wrote to memory of 2508 1520 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 1520 wrote to memory of 2508 1520 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 1520 wrote to memory of 2508 1520 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 1520 wrote to memory of 2508 1520 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe PID 2508 wrote to memory of 2492 2508 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe explorer.exe PID 2508 wrote to memory of 2492 2508 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe explorer.exe PID 2508 wrote to memory of 2492 2508 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe explorer.exe PID 2508 wrote to memory of 2492 2508 a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe explorer.exe PID 2492 wrote to memory of 572 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 572 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 572 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 572 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 572 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 572 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 572 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 572 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 572 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 572 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 572 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 572 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 572 2492 explorer.exe explorer.exe PID 2492 wrote to memory of 572 2492 explorer.exe explorer.exe PID 572 wrote to memory of 304 572 explorer.exe explorer.exe PID 572 wrote to memory of 304 572 explorer.exe explorer.exe PID 572 wrote to memory of 304 572 explorer.exe explorer.exe PID 572 wrote to memory of 304 572 explorer.exe explorer.exe PID 572 wrote to memory of 304 572 explorer.exe explorer.exe PID 572 wrote to memory of 304 572 explorer.exe explorer.exe PID 304 wrote to memory of 2484 304 explorer.exe spoolsv.exe PID 304 wrote to memory of 2484 304 explorer.exe spoolsv.exe PID 304 wrote to memory of 2484 304 explorer.exe spoolsv.exe PID 304 wrote to memory of 2484 304 explorer.exe spoolsv.exe PID 2484 wrote to memory of 2844 2484 spoolsv.exe spoolsv.exe PID 2484 wrote to memory of 2844 2484 spoolsv.exe spoolsv.exe PID 2484 wrote to memory of 2844 2484 spoolsv.exe spoolsv.exe PID 2484 wrote to memory of 2844 2484 spoolsv.exe spoolsv.exe PID 2484 wrote to memory of 2844 2484 spoolsv.exe spoolsv.exe PID 2484 wrote to memory of 2844 2484 spoolsv.exe spoolsv.exe PID 2484 wrote to memory of 2844 2484 spoolsv.exe spoolsv.exe PID 2484 wrote to memory of 2844 2484 spoolsv.exe spoolsv.exe PID 2484 wrote to memory of 2844 2484 spoolsv.exe spoolsv.exe PID 2484 wrote to memory of 2844 2484 spoolsv.exe spoolsv.exe PID 2484 wrote to memory of 2844 2484 spoolsv.exe spoolsv.exe PID 2484 wrote to memory of 2844 2484 spoolsv.exe spoolsv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a13d5374adf400bf521dc004804d0abb_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:572 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:304 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2844 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3816
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:308 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2880 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4088
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:568 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2088 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3488
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3056 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2312 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3316
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵PID:3380
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:3524
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1360 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1628 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1852
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2240 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2632 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2028
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1324 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1264 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3256
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:964 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2852 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3912
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵PID:3956
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:4076
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2832 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2000 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1136 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2316 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3800
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2120 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2268 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1988 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5092
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1304 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1748 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3068 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1636 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2544
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2256 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2648 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2620 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2568 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1500 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2740 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1972 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1712 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3388
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:684 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1688 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1644 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1828 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2780 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1632 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2624 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2800 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2540 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2984 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1012 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3008 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2168 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1416 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:568 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1996 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1424 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:908 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2956 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2108 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2636 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2756 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1924 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2868 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2212 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2812
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2924 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:612
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:396 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:772 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3064
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1600 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2720 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2752
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2724
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2808 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3012
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5052
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1516 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1608 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1736 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3056
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5108
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:108 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1960 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1660 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1504
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:584
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵PID:4132
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:4416
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2776 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1512 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1952 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2332
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1400 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2268 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3336
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3036 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2728 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2764 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2552
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3744
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵PID:1532
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:4428
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2612 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1676
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2932 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1568
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4424
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1304 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2424
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4588
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2600 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2892
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2280 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2996
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:780 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1164 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2176 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2136 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4324
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2720 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2876 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2204 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1784 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3036
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2500 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2584 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2840 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:984 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1660
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:848 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1640
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4296
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:1708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1928
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:516
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:1052 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:916
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:1604 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1760 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2840
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2540
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2532
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1116
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:852 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2176 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4688
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:1788 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2148
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4348
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:2652 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2396
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4544
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:940
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2320 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:1592 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1836
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2492
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2596
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4252
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2860
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2012
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2476
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:108
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1800
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2476
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2992
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1032
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2612
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1956
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2992
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3164
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3224
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3268
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3456
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3516
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4344
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3616
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3696
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3740
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3860
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3888
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3948
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4960
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4060
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3152
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3188
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3304
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:588
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3416
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3508
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4912
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3624
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3692
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3744
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3932
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4044
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4080
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3120
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3172
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3244
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3188
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3388
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3476
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3568
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3576
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3632
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3660
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3624
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3708
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3768
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3764
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3800
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3840
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4012
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4032
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3148
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:852
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3160
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3220
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3112
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2992
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3252
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3296
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1572
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3472
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2680
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3572
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3776
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3872
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4000
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4008
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3176
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3104
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4184
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4204
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4708
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4724
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5068
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5044
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4184
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4380
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
56KB
MD5bd72dcf1083b6e22ccbfa0e8e27fb1e0
SHA13fd23d4f14da768da7b8364d74c54932d704e74e
SHA25690f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1
SHA51272360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562
-
Filesize
2.6MB
MD56529faa5a49b9a03ea261ab60fd13054
SHA1c14e7919200145b4bc9d979a23daea655e1df108
SHA256e78813e738e2f2a31ac2f78bdd6c7a1e07368f6af0f7a23f14fc770c5db33415
SHA5128eb4b80f5dc2c31db4b7b3979301d4cd22d541df7c8a3cbdc8f804deab720f6c02e72517c68744445fd56991be093320869269d521448990107f618c42873faf
-
Filesize
2.6MB
MD5a8569038ca6717ce7334ae278590bcf2
SHA1cbd8f4bec5ea856f50389190e08186ffefe48fbe
SHA256ef92832db25c313327cbf9a1d31865516c9b8ab240fecab1d33494550f68e184
SHA512901dc3846e2985c3aba2775debb71747caca0f0fa4c92de3c1253c1533cbacb4274e6b114a5e0582c18c3d3baf1b08c9f85bbb68f696f9014fce91d4bb768648