Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 19:00
Behavioral task
behavioral1
Sample
b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
b4b3f061e49cb4340deffe5bb7c1bb38
-
SHA1
1920065bf4f4d2614075b2c61d9400d2f21bbee2
-
SHA256
42abbe37e85608b10360805b1dfd20e205e4fe2d6e32acef37def9433ea76436
-
SHA512
eaa55eae900a3b57c7b2af2ca88ad1ebb1ee9d225b1da47fcfd3a4e95b84aebfd47bcfbbf38bff6d27f44cf9bbf56e6886da0b2b8f31851650654dd87c178019
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrlO:86SIROiFJiwp0xlrlO
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 2444 explorer.exe 3032 explorer.exe 1740 explorer.exe 1616 spoolsv.exe 1612 spoolsv.exe 2988 spoolsv.exe 2892 spoolsv.exe 384 spoolsv.exe 1500 spoolsv.exe 1136 spoolsv.exe 2072 spoolsv.exe 852 spoolsv.exe 1940 spoolsv.exe 2052 spoolsv.exe 2004 spoolsv.exe 2588 spoolsv.exe 2696 spoolsv.exe 2492 spoolsv.exe 1796 spoolsv.exe 2792 spoolsv.exe 1220 spoolsv.exe 2660 spoolsv.exe 1664 spoolsv.exe 2680 spoolsv.exe 1492 spoolsv.exe 1860 spoolsv.exe 384 spoolsv.exe 1136 spoolsv.exe 1628 spoolsv.exe 2184 spoolsv.exe 2264 spoolsv.exe 2916 spoolsv.exe 1596 spoolsv.exe 1256 spoolsv.exe 2052 spoolsv.exe 1196 spoolsv.exe 1280 spoolsv.exe 840 spoolsv.exe 2232 spoolsv.exe 2092 spoolsv.exe 2888 spoolsv.exe 540 spoolsv.exe 2368 spoolsv.exe 848 spoolsv.exe 916 spoolsv.exe 1504 spoolsv.exe 884 spoolsv.exe 1600 spoolsv.exe 2700 spoolsv.exe 1300 spoolsv.exe 2492 spoolsv.exe 1776 spoolsv.exe 840 spoolsv.exe 2088 spoolsv.exe 2468 spoolsv.exe 1144 spoolsv.exe 1712 spoolsv.exe 1768 spoolsv.exe 2352 spoolsv.exe 2508 spoolsv.exe 868 spoolsv.exe 2868 spoolsv.exe 2592 spoolsv.exe 2672 spoolsv.exe -
Loads dropped DLL 64 IoCs
pid Process 2616 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 2616 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 1740 explorer.exe 1740 explorer.exe 1616 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 2988 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 384 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 1136 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 852 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 2052 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 2588 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 2492 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 2792 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 2660 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 2680 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 1860 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 1136 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 2184 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 2916 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 1256 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 1196 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 840 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 2092 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 540 spoolsv.exe 1740 explorer.exe 1740 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 3048 set thread context of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 1820 set thread context of 2616 1820 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 30 PID 2444 set thread context of 3032 2444 explorer.exe 32 PID 3032 set thread context of 1740 3032 explorer.exe 35 PID 1616 set thread context of 1612 1616 spoolsv.exe 37 PID 2988 set thread context of 2892 2988 spoolsv.exe 39 PID 384 set thread context of 1500 384 spoolsv.exe 41 PID 1136 set thread context of 2072 1136 spoolsv.exe 43 PID 852 set thread context of 1940 852 spoolsv.exe 45 PID 2052 set thread context of 2004 2052 spoolsv.exe 47 PID 2588 set thread context of 2696 2588 spoolsv.exe 49 PID 2492 set thread context of 1796 2492 spoolsv.exe 51 PID 2792 set thread context of 1220 2792 spoolsv.exe 53 PID 2660 set thread context of 1664 2660 spoolsv.exe 55 PID 2680 set thread context of 1492 2680 spoolsv.exe 57 PID 1860 set thread context of 384 1860 spoolsv.exe 59 PID 1136 set thread context of 1628 1136 spoolsv.exe 61 PID 2184 set thread context of 2264 2184 spoolsv.exe 63 PID 2916 set thread context of 1596 2916 spoolsv.exe 65 PID 1256 set thread context of 2052 1256 spoolsv.exe 67 PID 1196 set thread context of 1280 1196 spoolsv.exe 69 PID 840 set thread context of 2232 840 spoolsv.exe 71 PID 2092 set thread context of 2888 2092 spoolsv.exe 73 PID 540 set thread context of 2368 540 spoolsv.exe 75 PID 848 set thread context of 916 848 spoolsv.exe 77 PID 1504 set thread context of 884 1504 spoolsv.exe 79 PID 1600 set thread context of 2700 1600 spoolsv.exe 81 PID 1300 set thread context of 2492 1300 spoolsv.exe 83 PID 1776 set thread context of 840 1776 spoolsv.exe 85 PID 2088 set thread context of 2468 2088 spoolsv.exe 87 PID 1144 set thread context of 1712 1144 spoolsv.exe 89 PID 1768 set thread context of 2352 1768 spoolsv.exe 91 PID 2508 set thread context of 868 2508 spoolsv.exe 93 PID 2868 set thread context of 2592 2868 spoolsv.exe 95 PID 2672 set thread context of 2800 2672 spoolsv.exe 97 PID 2836 set thread context of 1576 2836 spoolsv.exe 99 PID 992 set thread context of 2960 992 spoolsv.exe 101 PID 2284 set thread context of 1544 2284 spoolsv.exe 103 PID 3068 set thread context of 2200 3068 spoolsv.exe 105 PID 2760 set thread context of 2976 2760 spoolsv.exe 107 PID 2416 set thread context of 2652 2416 spoolsv.exe 109 PID 1284 set thread context of 1336 1284 spoolsv.exe 111 PID 1772 set thread context of 672 1772 spoolsv.exe 113 PID 320 set thread context of 2292 320 spoolsv.exe 115 PID 2464 set thread context of 2424 2464 spoolsv.exe 117 PID 888 set thread context of 1552 888 spoolsv.exe 119 PID 532 set thread context of 324 532 spoolsv.exe 121 PID 2192 set thread context of 744 2192 spoolsv.exe 123 PID 2728 set thread context of 2428 2728 spoolsv.exe 125 PID 2812 set thread context of 2464 2812 spoolsv.exe 127 PID 2836 set thread context of 2680 2836 spoolsv.exe 129 PID 1852 set thread context of 1872 1852 spoolsv.exe 131 PID 1704 set thread context of 2820 1704 spoolsv.exe 133 PID 296 set thread context of 888 296 spoolsv.exe 135 PID 1808 set thread context of 2064 1808 spoolsv.exe 137 PID 2044 set thread context of 2856 2044 spoolsv.exe 139 PID 1704 set thread context of 2604 1704 spoolsv.exe 141 PID 2996 set thread context of 1624 2996 spoolsv.exe 143 PID 2196 set thread context of 2288 2196 spoolsv.exe 145 PID 2840 set thread context of 2416 2840 spoolsv.exe 147 PID 780 set thread context of 1536 780 spoolsv.exe 149 PID 1784 set thread context of 552 1784 spoolsv.exe 151 PID 1616 set thread context of 2092 1616 spoolsv.exe 153 PID 780 set thread context of 2748 780 spoolsv.exe 155 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2616 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe 1740 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1740 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 2616 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 2616 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 2444 explorer.exe 1740 explorer.exe 1740 explorer.exe 1616 spoolsv.exe 1740 explorer.exe 1740 explorer.exe 2988 spoolsv.exe 384 spoolsv.exe 1136 spoolsv.exe 852 spoolsv.exe 2052 spoolsv.exe 2588 spoolsv.exe 2492 spoolsv.exe 2792 spoolsv.exe 2660 spoolsv.exe 2680 spoolsv.exe 1860 spoolsv.exe 1136 spoolsv.exe 2184 spoolsv.exe 2916 spoolsv.exe 1256 spoolsv.exe 1196 spoolsv.exe 840 spoolsv.exe 2092 spoolsv.exe 540 spoolsv.exe 848 spoolsv.exe 1504 spoolsv.exe 1600 spoolsv.exe 1300 spoolsv.exe 1776 spoolsv.exe 2088 spoolsv.exe 1144 spoolsv.exe 1768 spoolsv.exe 2508 spoolsv.exe 2868 spoolsv.exe 2672 spoolsv.exe 2836 spoolsv.exe 992 spoolsv.exe 2284 spoolsv.exe 3068 spoolsv.exe 2760 spoolsv.exe 2416 spoolsv.exe 1284 spoolsv.exe 1772 spoolsv.exe 320 spoolsv.exe 2464 spoolsv.exe 888 spoolsv.exe 532 spoolsv.exe 2192 spoolsv.exe 2728 spoolsv.exe 2812 spoolsv.exe 2836 spoolsv.exe 1852 spoolsv.exe 1704 spoolsv.exe 296 spoolsv.exe 1808 spoolsv.exe 2044 spoolsv.exe 1704 spoolsv.exe 2996 spoolsv.exe 2196 spoolsv.exe 2840 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3048 wrote to memory of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 3048 wrote to memory of 1820 3048 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 28 PID 1820 wrote to memory of 2340 1820 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 29 PID 1820 wrote to memory of 2340 1820 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 29 PID 1820 wrote to memory of 2340 1820 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 29 PID 1820 wrote to memory of 2340 1820 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 29 PID 1820 wrote to memory of 2616 1820 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 30 PID 1820 wrote to memory of 2616 1820 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 30 PID 1820 wrote to memory of 2616 1820 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 30 PID 1820 wrote to memory of 2616 1820 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 30 PID 1820 wrote to memory of 2616 1820 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 30 PID 1820 wrote to memory of 2616 1820 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 30 PID 2616 wrote to memory of 2444 2616 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 31 PID 2616 wrote to memory of 2444 2616 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 31 PID 2616 wrote to memory of 2444 2616 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 31 PID 2616 wrote to memory of 2444 2616 b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe 31 PID 2444 wrote to memory of 3032 2444 explorer.exe 32 PID 2444 wrote to memory of 3032 2444 explorer.exe 32 PID 2444 wrote to memory of 3032 2444 explorer.exe 32 PID 2444 wrote to memory of 3032 2444 explorer.exe 32 PID 2444 wrote to memory of 3032 2444 explorer.exe 32 PID 2444 wrote to memory of 3032 2444 explorer.exe 32 PID 2444 wrote to memory of 3032 2444 explorer.exe 32 PID 2444 wrote to memory of 3032 2444 explorer.exe 32 PID 2444 wrote to memory of 3032 2444 explorer.exe 32 PID 2444 wrote to memory of 3032 2444 explorer.exe 32 PID 2444 wrote to memory of 3032 2444 explorer.exe 32 PID 2444 wrote to memory of 3032 2444 explorer.exe 32 PID 2444 wrote to memory of 3032 2444 explorer.exe 32 PID 2444 wrote to memory of 3032 2444 explorer.exe 32 PID 3032 wrote to memory of 1740 3032 explorer.exe 35 PID 3032 wrote to memory of 1740 3032 explorer.exe 35 PID 3032 wrote to memory of 1740 3032 explorer.exe 35 PID 3032 wrote to memory of 1740 3032 explorer.exe 35 PID 3032 wrote to memory of 1740 3032 explorer.exe 35 PID 3032 wrote to memory of 1740 3032 explorer.exe 35 PID 1740 wrote to memory of 1616 1740 explorer.exe 36 PID 1740 wrote to memory of 1616 1740 explorer.exe 36 PID 1740 wrote to memory of 1616 1740 explorer.exe 36 PID 1740 wrote to memory of 1616 1740 explorer.exe 36 PID 1616 wrote to memory of 1612 1616 spoolsv.exe 37 PID 1616 wrote to memory of 1612 1616 spoolsv.exe 37 PID 1616 wrote to memory of 1612 1616 spoolsv.exe 37 PID 1616 wrote to memory of 1612 1616 spoolsv.exe 37 PID 1616 wrote to memory of 1612 1616 spoolsv.exe 37 PID 1616 wrote to memory of 1612 1616 spoolsv.exe 37 PID 1616 wrote to memory of 1612 1616 spoolsv.exe 37 PID 1616 wrote to memory of 1612 1616 spoolsv.exe 37 PID 1616 wrote to memory of 1612 1616 spoolsv.exe 37 PID 1616 wrote to memory of 1612 1616 spoolsv.exe 37 PID 1616 wrote to memory of 1612 1616 spoolsv.exe 37 PID 1616 wrote to memory of 1612 1616 spoolsv.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2340
-
-
C:\Users\Admin\AppData\Local\Temp\b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4b3f061e49cb4340deffe5bb7c1bb38_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3032 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1612 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5020
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2988 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2892 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3288
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:384 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1500 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5172
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1136 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2072 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5392
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:852 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1940 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5256
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2052 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2004
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2588 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2696
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2492 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1796 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7772
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2792 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1220 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5276
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2660 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1664 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7348
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2680 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1492 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5292
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1860 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:384
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1136 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1628
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2184 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2264
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2916 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1596
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1256 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2052
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1196 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1280
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:840 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2232
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2092 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2888 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5316
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:540 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2368
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:848 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:916 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6740
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1504 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:884
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1600 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2700 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6692
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1300 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2492 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5356
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1776 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:840 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5188
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2088 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2468 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6080
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1144 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1712
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1768 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2352
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2508 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:868
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2868 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2592 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6768
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2672 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2800
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2836 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1576
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:992 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2960
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6748
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2284 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1544
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3068 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2200
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2760 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2976
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5212
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2416 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2652
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1284 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1336
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6148
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1772 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:672
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6756
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:320 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2292 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7708
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2464 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2424
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:888 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:1552
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:532 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:324
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6404
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2192 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:744
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7328
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2728 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2428
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2812 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2464
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2836 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2680
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5576
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1852 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1872
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1704 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2820
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7320
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:296 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:888
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1808 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2064
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5136
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2044 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2856
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1704 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2604
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2996 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1624
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2196 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2288
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2840 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2416
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:780 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1536
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7208
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:1784 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:552
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5156
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:1616 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2092 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6436
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:780 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2748
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2832
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1144
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:992
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2436 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6920
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:1440 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1104
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:2752 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2868
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2360
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1288
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2944
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1944
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:1256 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2932
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1480
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2708
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:2884 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1284
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:1988 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1852
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2168
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:400
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7628
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2028
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2512
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2964
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:948
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:1960 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2736
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7556
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1704
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1988
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:2168 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1812
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6912
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3168
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3208
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3312 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3332
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3448
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3564
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1224
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3668
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3684
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3756
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3816 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6412
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3964
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4000
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:2168 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3192
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3268 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3380
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3484
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3596
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3724 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3812
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3884 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3976
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4076 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3120
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7216
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3232
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3304
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3436
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3536
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3636
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3780
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3860
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3972
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3968
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3152
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7524
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3280 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3420
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3512
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3448
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3744
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3912
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6904
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3984 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3088
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3968
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3328
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3464
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3560 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6700
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3740
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3908
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4036
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4080
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7576
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3296
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3460
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3672
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3736
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3896
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3996
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3300
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3352
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7368
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3436 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3732 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7428
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3724
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4052
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3108
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3248
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3528
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3508
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4012
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2488
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7684
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3344 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3444
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3616
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3544
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3724
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3256
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7700
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3620
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3948
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7156
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3504
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3324
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3344
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3884
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4076 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3232
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6128
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3608
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3860
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3280
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3880
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2100
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3252
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3504
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4036
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3168
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3620
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3984
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3104
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3344
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3280
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3796
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6928
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3312
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3280
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3888
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3140
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3888
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3272
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4200
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4280
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4404
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4480
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4568
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4664 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6996
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4752
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4816
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7540
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4900
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5000
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5064
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4112
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4216
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4308
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4396
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4476
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4580
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4656
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4788
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4872
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4972
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5032
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7044
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3888 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4180
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4300
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4424
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5236
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4544
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4620
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4684
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4824
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4892
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5052
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3712
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4208
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4268
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4300
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4460
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4556
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4552
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4780
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4948
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5048
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:5068
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4272
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4432
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4504
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4644
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4812
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4880
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5020
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4104
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4332
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4216
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4560
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4836
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4784
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4100
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4336
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4328
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4588
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4684
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4936
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4192 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3712
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4380
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4528
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4640
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4692
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5092
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4200
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4324
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4124
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4628 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4696
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5108 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3808
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5176
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4728
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4924
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4736
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4504
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4796
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1580
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
56KB
MD5bd72dcf1083b6e22ccbfa0e8e27fb1e0
SHA13fd23d4f14da768da7b8364d74c54932d704e74e
SHA25690f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1
SHA51272360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562
-
Filesize
2.6MB
MD5aa2448a26a1bd0f45040f1aa34e41aa5
SHA1b1f7e9227b966d01c05eb91fd1ff1b39e68a30a3
SHA2565237c872fa45d6d87888f7d1f56692082add8edcafad32164500a3620d0413ba
SHA512142f5e341ce86fcdfc6e776f88265598e5898c89fa04ff6296e704c78b56a4f2d81f1f12d245429414ad96ffe5cec845a0d90b324b06fd2ac38f654abc74bc38
-
Filesize
2.6MB
MD50e9ed35def98c4a5c33001e4106192bd
SHA1751273fc6ce0d419978c0ebb2001e18eb3f2976a
SHA2565209062bb12dd03faebcba1120f77355a574873133bb6cc999a36c191f52646b
SHA5125901415c8a0d2aebfcf5c53be5165da9734eb64e4ab246f3def68466ad54efc2247fd07e2349a2a61d26b3c20de5ae18ba9347211fbe5549d6fe0aeb3c751c2a