Analysis
-
max time kernel
78s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 19:03
Behavioral task
behavioral1
Sample
b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
b4b5d12bee0ca87525785c7b354eddc7
-
SHA1
30d4774b1323617c4e5f802aae63612e958ae353
-
SHA256
e04c1dabe86c5eca51e2f7f24f076381261c58b9eebe5699ec0bff044e35055c
-
SHA512
deaefac267c4ad933d03293598d8a7f4ee6c0a0d09af755414438d15afd41704911c347280818dc76e84acbaf17dd233dd6fbd3c2d5f7477f76e3b7c55c85dd1
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrl+:86SIROiFJiwp0xlrl+
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 2532 explorer.exe 2572 explorer.exe 1768 explorer.exe 1072 spoolsv.exe 1168 spoolsv.exe 1404 spoolsv.exe 1332 spoolsv.exe 2348 spoolsv.exe 2276 spoolsv.exe 1636 spoolsv.exe 1532 spoolsv.exe 888 spoolsv.exe 1712 spoolsv.exe 2852 spoolsv.exe 2720 spoolsv.exe 2876 spoolsv.exe 2436 spoolsv.exe 1680 spoolsv.exe 2524 spoolsv.exe 2536 spoolsv.exe 2588 spoolsv.exe 2700 spoolsv.exe 1940 spoolsv.exe 604 spoolsv.exe 1716 spoolsv.exe 2104 spoolsv.exe 2152 spoolsv.exe 856 spoolsv.exe 1344 spoolsv.exe 1928 spoolsv.exe 2232 spoolsv.exe 2932 spoolsv.exe 2036 spoolsv.exe 1240 spoolsv.exe 2768 spoolsv.exe 2264 spoolsv.exe 2416 spoolsv.exe 1368 spoolsv.exe 268 spoolsv.exe 1512 spoolsv.exe 2200 spoolsv.exe 2268 spoolsv.exe 572 spoolsv.exe 1544 spoolsv.exe 708 spoolsv.exe 856 spoolsv.exe 2112 spoolsv.exe 2868 spoolsv.exe 1704 spoolsv.exe 2668 spoolsv.exe 2528 spoolsv.exe 1312 spoolsv.exe 2520 spoolsv.exe 1736 spoolsv.exe 1032 spoolsv.exe 548 spoolsv.exe 1072 spoolsv.exe 2872 spoolsv.exe 2324 spoolsv.exe 2028 spoolsv.exe 340 spoolsv.exe 288 spoolsv.exe 892 spoolsv.exe 1456 spoolsv.exe -
Loads dropped DLL 64 IoCs
pid Process 2820 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 2820 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 1768 explorer.exe 1768 explorer.exe 1072 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 1404 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 2348 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 1636 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 888 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 2852 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 2876 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 1680 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 2536 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 2700 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 604 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 2104 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 856 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 1928 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 2932 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 1240 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 2264 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 1368 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 1512 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 2268 spoolsv.exe 1768 explorer.exe 1768 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 1688 set thread context of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 2056 set thread context of 2820 2056 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 30 PID 2532 set thread context of 2572 2532 explorer.exe 32 PID 2572 set thread context of 1768 2572 explorer.exe 35 PID 1072 set thread context of 1168 1072 spoolsv.exe 37 PID 1404 set thread context of 1332 1404 spoolsv.exe 39 PID 2348 set thread context of 2276 2348 spoolsv.exe 41 PID 1636 set thread context of 1532 1636 spoolsv.exe 43 PID 888 set thread context of 1712 888 spoolsv.exe 45 PID 2852 set thread context of 2720 2852 spoolsv.exe 47 PID 2876 set thread context of 2436 2876 spoolsv.exe 49 PID 1680 set thread context of 2524 1680 spoolsv.exe 51 PID 2536 set thread context of 2588 2536 spoolsv.exe 53 PID 2700 set thread context of 1940 2700 spoolsv.exe 55 PID 604 set thread context of 1716 604 spoolsv.exe 57 PID 2104 set thread context of 2152 2104 spoolsv.exe 59 PID 856 set thread context of 1344 856 spoolsv.exe 61 PID 1928 set thread context of 2232 1928 spoolsv.exe 63 PID 2932 set thread context of 2036 2932 spoolsv.exe 65 PID 1240 set thread context of 2768 1240 spoolsv.exe 67 PID 2264 set thread context of 2416 2264 spoolsv.exe 69 PID 1368 set thread context of 268 1368 spoolsv.exe 71 PID 1512 set thread context of 2200 1512 spoolsv.exe 73 PID 2268 set thread context of 572 2268 spoolsv.exe 75 PID 1544 set thread context of 708 1544 spoolsv.exe 77 PID 856 set thread context of 2112 856 spoolsv.exe 79 PID 2868 set thread context of 1704 2868 spoolsv.exe 81 PID 2668 set thread context of 2528 2668 spoolsv.exe 83 PID 1312 set thread context of 2520 1312 spoolsv.exe 85 PID 1736 set thread context of 1032 1736 spoolsv.exe 87 PID 548 set thread context of 1072 548 spoolsv.exe 89 PID 2872 set thread context of 2324 2872 spoolsv.exe 91 PID 2028 set thread context of 340 2028 spoolsv.exe 93 PID 288 set thread context of 892 288 spoolsv.exe 95 PID 1456 set thread context of 2488 1456 spoolsv.exe 97 PID 2556 set thread context of 2860 2556 spoolsv.exe 99 PID 1312 set thread context of 1552 1312 spoolsv.exe 101 PID 568 set thread context of 684 568 spoolsv.exe 103 PID 3052 set thread context of 2888 3052 spoolsv.exe 105 PID 1104 set thread context of 1868 1104 spoolsv.exe 107 PID 2824 set thread context of 2116 2824 spoolsv.exe 109 PID 2916 set thread context of 2664 2916 spoolsv.exe 111 PID 2544 set thread context of 2636 2544 spoolsv.exe 113 PID 1648 set thread context of 2696 1648 spoolsv.exe 115 PID 584 set thread context of 3052 584 spoolsv.exe 117 PID 2084 set thread context of 2168 2084 spoolsv.exe 119 PID 1456 set thread context of 2504 1456 spoolsv.exe 121 PID 2496 set thread context of 2508 2496 spoolsv.exe 123 PID 1040 set thread context of 2356 1040 spoolsv.exe 125 PID 1004 set thread context of 1636 1004 spoolsv.exe 127 PID 1764 set thread context of 2952 1764 spoolsv.exe 129 PID 2780 set thread context of 2264 2780 spoolsv.exe 131 PID 2236 set thread context of 1040 2236 spoolsv.exe 133 PID 576 set thread context of 896 576 spoolsv.exe 135 PID 1828 set thread context of 288 1828 spoolsv.exe 137 PID 1536 set thread context of 316 1536 spoolsv.exe 139 PID 2364 set thread context of 1856 2364 spoolsv.exe 141 PID 1300 set thread context of 1764 1300 spoolsv.exe 143 PID 2944 set thread context of 2196 2944 spoolsv.exe 145 PID 3028 set thread context of 2856 3028 spoolsv.exe 147 PID 1580 set thread context of 1828 1580 spoolsv.exe 149 PID 1312 set thread context of 2496 1312 spoolsv.exe 151 PID 3012 set thread context of 1820 3012 spoolsv.exe 153 PID 1336 set thread context of 2812 1336 spoolsv.exe 155 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2820 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe 1768 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1768 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 2820 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 2820 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 2532 explorer.exe 1768 explorer.exe 1768 explorer.exe 1072 spoolsv.exe 1768 explorer.exe 1768 explorer.exe 1404 spoolsv.exe 2348 spoolsv.exe 1636 spoolsv.exe 888 spoolsv.exe 2852 spoolsv.exe 2876 spoolsv.exe 1680 spoolsv.exe 2536 spoolsv.exe 2700 spoolsv.exe 604 spoolsv.exe 2104 spoolsv.exe 856 spoolsv.exe 1928 spoolsv.exe 2932 spoolsv.exe 1240 spoolsv.exe 2264 spoolsv.exe 1368 spoolsv.exe 1512 spoolsv.exe 2268 spoolsv.exe 1544 spoolsv.exe 856 spoolsv.exe 2868 spoolsv.exe 2668 spoolsv.exe 1312 spoolsv.exe 1736 spoolsv.exe 548 spoolsv.exe 2872 spoolsv.exe 2028 spoolsv.exe 288 spoolsv.exe 1456 spoolsv.exe 2556 spoolsv.exe 1312 spoolsv.exe 568 spoolsv.exe 3052 spoolsv.exe 1104 spoolsv.exe 2824 spoolsv.exe 2916 spoolsv.exe 2544 spoolsv.exe 1648 spoolsv.exe 584 spoolsv.exe 2084 spoolsv.exe 1456 spoolsv.exe 2496 spoolsv.exe 1040 spoolsv.exe 1004 spoolsv.exe 1764 spoolsv.exe 2780 spoolsv.exe 2236 spoolsv.exe 576 spoolsv.exe 1828 spoolsv.exe 1536 spoolsv.exe 2364 spoolsv.exe 1300 spoolsv.exe 2944 spoolsv.exe 3028 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 1688 wrote to memory of 2056 1688 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 28 PID 2056 wrote to memory of 1872 2056 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 29 PID 2056 wrote to memory of 1872 2056 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 29 PID 2056 wrote to memory of 1872 2056 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 29 PID 2056 wrote to memory of 1872 2056 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 29 PID 2056 wrote to memory of 2820 2056 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 30 PID 2056 wrote to memory of 2820 2056 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 30 PID 2056 wrote to memory of 2820 2056 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 30 PID 2056 wrote to memory of 2820 2056 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 30 PID 2056 wrote to memory of 2820 2056 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 30 PID 2056 wrote to memory of 2820 2056 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 30 PID 2820 wrote to memory of 2532 2820 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 31 PID 2820 wrote to memory of 2532 2820 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 31 PID 2820 wrote to memory of 2532 2820 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 31 PID 2820 wrote to memory of 2532 2820 b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe 31 PID 2532 wrote to memory of 2572 2532 explorer.exe 32 PID 2532 wrote to memory of 2572 2532 explorer.exe 32 PID 2532 wrote to memory of 2572 2532 explorer.exe 32 PID 2532 wrote to memory of 2572 2532 explorer.exe 32 PID 2532 wrote to memory of 2572 2532 explorer.exe 32 PID 2532 wrote to memory of 2572 2532 explorer.exe 32 PID 2532 wrote to memory of 2572 2532 explorer.exe 32 PID 2532 wrote to memory of 2572 2532 explorer.exe 32 PID 2532 wrote to memory of 2572 2532 explorer.exe 32 PID 2532 wrote to memory of 2572 2532 explorer.exe 32 PID 2532 wrote to memory of 2572 2532 explorer.exe 32 PID 2532 wrote to memory of 2572 2532 explorer.exe 32 PID 2532 wrote to memory of 2572 2532 explorer.exe 32 PID 2532 wrote to memory of 2572 2532 explorer.exe 32 PID 2572 wrote to memory of 1768 2572 explorer.exe 35 PID 2572 wrote to memory of 1768 2572 explorer.exe 35 PID 2572 wrote to memory of 1768 2572 explorer.exe 35 PID 2572 wrote to memory of 1768 2572 explorer.exe 35 PID 2572 wrote to memory of 1768 2572 explorer.exe 35 PID 2572 wrote to memory of 1768 2572 explorer.exe 35 PID 1768 wrote to memory of 1072 1768 explorer.exe 36 PID 1768 wrote to memory of 1072 1768 explorer.exe 36 PID 1768 wrote to memory of 1072 1768 explorer.exe 36 PID 1768 wrote to memory of 1072 1768 explorer.exe 36 PID 1072 wrote to memory of 1168 1072 spoolsv.exe 37 PID 1072 wrote to memory of 1168 1072 spoolsv.exe 37 PID 1072 wrote to memory of 1168 1072 spoolsv.exe 37 PID 1072 wrote to memory of 1168 1072 spoolsv.exe 37 PID 1072 wrote to memory of 1168 1072 spoolsv.exe 37 PID 1072 wrote to memory of 1168 1072 spoolsv.exe 37 PID 1072 wrote to memory of 1168 1072 spoolsv.exe 37 PID 1072 wrote to memory of 1168 1072 spoolsv.exe 37 PID 1072 wrote to memory of 1168 1072 spoolsv.exe 37 PID 1072 wrote to memory of 1168 1072 spoolsv.exe 37 PID 1072 wrote to memory of 1168 1072 spoolsv.exe 37 PID 1072 wrote to memory of 1168 1072 spoolsv.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:1872
-
-
C:\Users\Admin\AppData\Local\Temp\b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b4b5d12bee0ca87525785c7b354eddc7_JaffaCakes118.exe"3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2820 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2572 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1168
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1404 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1332 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5972
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2348 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2276 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6232
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1636 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1532
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:888 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1712
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2852 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2720 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6220
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2876 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2436
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1680 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2524
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2588
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2700 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1940
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:604 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1716
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2104 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2152
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:856 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1344
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1928 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2232
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2932 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2036 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5164
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1240 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2768
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2264 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2416
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1368 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:268 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6164
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1512 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2200
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2268 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:572
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1544 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:708
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:856 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2112
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2868 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1704
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2668 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:2528
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1312 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2520
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1736 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:1032
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:548 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1072
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2872 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2324
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2028 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:340
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:288 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:892
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1456 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2488
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2556 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2860
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1312 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1552
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:568 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:684
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3052 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2888
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1104 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1868
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2824 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2116
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2916 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2664
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2544 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2636
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1648 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2696
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:584 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3052
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2084 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2168
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1456 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2504
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6304
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2496 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2508
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1040 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2356
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1004 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1636
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7760
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1764 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2952
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2780 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2264
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2236 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1040
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:576 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:896
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1828 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:288
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6588
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1536 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:316
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2364 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1856
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1300 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1764
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2944 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2196
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3028 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2856
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:1580 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1828
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:1312 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2496
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:3012 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1820
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:1336 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2812
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2244
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2268
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2484
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1920
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1404
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2364
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:856
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2648
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2484
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1796
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1068
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1536
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1096
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2736
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2284
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1384
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:1336 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1488
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2764
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:856
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1824
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2444
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2936
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2536
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1068
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3092
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3156
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3256
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3300
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3356
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3460 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3496
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3612
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3672
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3812
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3888
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3952
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3988
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1724
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:2896
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3240
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3160
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3336
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3304
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3488
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3572
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3708
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3744
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3860
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3876
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4048
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4088
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1448
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3224
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3316 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3408
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3544
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3660
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3788 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3804
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3936
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4016
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3088
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2908
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3252 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3436
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3488 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3596
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3752 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3792
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3964
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1404
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3076
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3320
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3456
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3488
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3544
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3868
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3864
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3104
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3148
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3384
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3416
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3648
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3812
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3084
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1336
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3284
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3348
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3488
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3776
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3860
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3996
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3172
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3240
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3604
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3488
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3940
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3484
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3188
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2924
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3604
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4064
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:3236 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3584
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3820
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3080
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2096
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3320
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3872
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3184
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3396
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3656
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3128
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3532
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3904
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1824
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3632
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3464
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3620
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3904
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3128
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3956
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3276
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3128
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1740
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3620
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3580
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3232
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3580
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:3756
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3696
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3708
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4144
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4200
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4276
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4404
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4512
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4588
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4656
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4712
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4812 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4852
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4960
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5116
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4108
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4192
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4304
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4436
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4504 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4548
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4676 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4660
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4876
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4896
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5016 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5052
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4164 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4172
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4356
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4400
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4580
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4664
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4784
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4804
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5004
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5032
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4152
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4288
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4460
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4628
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4580
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4724
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4924
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5064
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3696
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4112
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4336
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4480
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4568 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4676
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4360
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4904
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3124
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4148
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4352 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4276
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4540
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4708
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4916
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4164
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4356
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4636
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4720
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4836
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4816
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4344
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4380
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4700
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4800
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5016
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4964
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4304
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4496
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4864
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4144
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4372
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4184
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4832
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4912
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4344
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4784
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4944
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4156
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4456 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4368
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4944
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4456
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4140 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4352
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4944
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4492
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4752
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5104
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4572
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5100
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4260
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4688
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5004
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4516
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:4260 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4136
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4636
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4464
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4944
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:5132
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5240
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5296
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5404
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5440
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5484
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5584
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5652
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5708
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5816
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5836
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5928
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6028
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6108
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5128
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5280
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5384
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5520
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5488
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5696
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:5736
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5884
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5984
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6076
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5180
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5244
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5364
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5408
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5572
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5672
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5792
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5892 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5936
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6060
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6088
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5276
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5308
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5956
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5556
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5652
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5756
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5944
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6000
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5140 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5212
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5416
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
PID:4540
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5692
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5752
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5920 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5964
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5172 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5260
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5532
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5700
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5676
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5904
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6064
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4260
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5452
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5568
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5932
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5228
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5372
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5460
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5396
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5908
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5164
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5224
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5336
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5644
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5972
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6100
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5328
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5552
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5976
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5676
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6084
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5240
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5776
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5732
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5896
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5704
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
56KB
MD5bd72dcf1083b6e22ccbfa0e8e27fb1e0
SHA13fd23d4f14da768da7b8364d74c54932d704e74e
SHA25690f44f69950a796ab46ff09181585ac9dabf21271f16ebb9ea385c957e5955c1
SHA51272360ab4078ad5e0152324f9a856b3396e2d0247f7f95ac8a5a53a25126ac3cff567cc523849e28d92a99730ee8ffb30366f09c428258f93a5cca6d0c5905562
-
Filesize
2.6MB
MD540b2a0e23e345a43b8e6de8e9d18b822
SHA11fac45f397a60510a6cc628edefd5247788324ea
SHA256d696f43382ba5a145f896f585c4fc7fb363bcaf742bebeb71f9959a0521caabd
SHA51231f378104b11dceea2442f03c12c627c171874a9c382e9e69178d2d0d579f327a75cfde1fad160c2d06bf1fb47d57f83307b80158f60b818c30ba176044f3ec7
-
Filesize
2.6MB
MD5cfc99788fcc63d09053254b935957f63
SHA1421c3da315927d0b78c86496c260d15cce89fa2a
SHA256a5e0f4dd805e3be28b8f327c8a0a575e1020b8739275f4f483199a0f3d497551
SHA512db621a0d20e4c776f1cec42434ce3c7157bbd225611ed81f8c13adc549a7610d7467ca4886d0b2ba6dd587657ff710b3c540941b35b088319e057e283c36489f