pony | 49cfa3c3afb0e3c1a4f923ac103acdc3d7c89b08661e7c9c7bb75ae2f38a4419

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
Size

2.6MB
MD5

f9e89a54be27e315f73de9d44f96a2cd
SHA1

79112fe17aa6855daef82f89895750351dcbfae5
SHA256

49cfa3c3afb0e3c1a4f923ac103acdc3d7c89b08661e7c9c7bb75ae2f38a4419
SHA512

2cb735d53ec1ddd318f9cc9f3a94e1faf41beb487f56905ba26223cb579a138d5ff8efd534f08263cefe8300a4bb34cf6cb29ce632636dca0c0fd648069831e6
SSDEEP

49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrln:86SIROiFJiwp0xlrln

Score

10^/10

pony discovery evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
2428	explorer.exe
1448	explorer.exe
588	explorer.exe
1652	spoolsv.exe
2040	spoolsv.exe
2204	spoolsv.exe
2360	spoolsv.exe
908	spoolsv.exe
2460	spoolsv.exe
556	spoolsv.exe
1780	spoolsv.exe
2248	spoolsv.exe
1984	spoolsv.exe
2328	spoolsv.exe
2704	spoolsv.exe
3020	spoolsv.exe
2860	spoolsv.exe
752	spoolsv.exe
1712	spoolsv.exe
2572	spoolsv.exe
2800	spoolsv.exe
1220	spoolsv.exe
2348	spoolsv.exe
2168	spoolsv.exe
328	spoolsv.exe
300	spoolsv.exe
1472	spoolsv.exe
2080	spoolsv.exe
2424	spoolsv.exe
888	spoolsv.exe
2416	spoolsv.exe
1504	spoolsv.exe
2568	spoolsv.exe
2152	spoolsv.exe
2632	spoolsv.exe
1688	spoolsv.exe
572	spoolsv.exe
2472	spoolsv.exe
2964	spoolsv.exe
1952	spoolsv.exe
2372	spoolsv.exe
880	spoolsv.exe
1740	spoolsv.exe
2484	spoolsv.exe
1728	spoolsv.exe
2248	spoolsv.exe
2932	spoolsv.exe
2668	spoolsv.exe
2716	spoolsv.exe
2888	spoolsv.exe
2188	spoolsv.exe
1888	spoolsv.exe
1656	spoolsv.exe
1904	spoolsv.exe
1220	spoolsv.exe
2336	spoolsv.exe
284	spoolsv.exe
1840	spoolsv.exe
2912	spoolsv.exe
2744	spoolsv.exe
2508	spoolsv.exe
3016	spoolsv.exe
2804	spoolsv.exe
668	spoolsv.exe

Loads dropped DLL 64 IoCs

pid	Process
2584	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
2584	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
2428	explorer.exe
588	explorer.exe
588	explorer.exe
1652	spoolsv.exe
588	explorer.exe
588	explorer.exe
2204	spoolsv.exe
588	explorer.exe
588	explorer.exe
908	spoolsv.exe
588	explorer.exe
588	explorer.exe
556	spoolsv.exe
588	explorer.exe
588	explorer.exe
2248	spoolsv.exe
588	explorer.exe
588	explorer.exe
2328	spoolsv.exe
588	explorer.exe
588	explorer.exe
3020	spoolsv.exe
588	explorer.exe
588	explorer.exe
752	spoolsv.exe
588	explorer.exe
588	explorer.exe
2572	spoolsv.exe
588	explorer.exe
588	explorer.exe
1220	spoolsv.exe
588	explorer.exe
588	explorer.exe
2168	spoolsv.exe
588	explorer.exe
588	explorer.exe
300	spoolsv.exe
588	explorer.exe
588	explorer.exe
2080	spoolsv.exe
588	explorer.exe
588	explorer.exe
888	spoolsv.exe
588	explorer.exe
588	explorer.exe
1504	spoolsv.exe
588	explorer.exe
588	explorer.exe
2152	spoolsv.exe
588	explorer.exe
588	explorer.exe
1688	spoolsv.exe
588	explorer.exe
588	explorer.exe
2472	spoolsv.exe
588	explorer.exe
588	explorer.exe
1952	spoolsv.exe
588	explorer.exe
588	explorer.exe
880	spoolsv.exe
588	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2416 set thread context of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2636 set thread context of 2584	2636	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	32
PID 2428 set thread context of 1448	2428	explorer.exe	34
PID 1448 set thread context of 588	1448	explorer.exe	35
PID 1652 set thread context of 2040	1652	spoolsv.exe	37
PID 2204 set thread context of 2360	2204	spoolsv.exe	39
PID 908 set thread context of 2460	908	spoolsv.exe	41
PID 556 set thread context of 1780	556	spoolsv.exe	43
PID 2248 set thread context of 1984	2248	spoolsv.exe	45
PID 2328 set thread context of 2704	2328	spoolsv.exe	47
PID 3020 set thread context of 2860	3020	spoolsv.exe	49
PID 752 set thread context of 1712	752	spoolsv.exe	51
PID 2572 set thread context of 2800	2572	spoolsv.exe	53
PID 1220 set thread context of 2348	1220	spoolsv.exe	55
PID 2168 set thread context of 328	2168	spoolsv.exe	57
PID 300 set thread context of 1472	300	spoolsv.exe	59
PID 2080 set thread context of 2424	2080	spoolsv.exe	61
PID 888 set thread context of 2416	888	spoolsv.exe	63
PID 1504 set thread context of 2568	1504	spoolsv.exe	65
PID 2152 set thread context of 2632	2152	spoolsv.exe	67
PID 1688 set thread context of 572	1688	spoolsv.exe	69
PID 2472 set thread context of 2964	2472	spoolsv.exe	71
PID 1952 set thread context of 2372	1952	spoolsv.exe	73
PID 880 set thread context of 1740	880	spoolsv.exe	75
PID 2484 set thread context of 1728	2484	spoolsv.exe	77
PID 2248 set thread context of 2932	2248	spoolsv.exe	79
PID 2668 set thread context of 2716	2668	spoolsv.exe	81
PID 2888 set thread context of 2188	2888	spoolsv.exe	83
PID 1888 set thread context of 1656	1888	spoolsv.exe	85
PID 1904 set thread context of 1220	1904	spoolsv.exe	87
PID 2336 set thread context of 284	2336	spoolsv.exe	89
PID 1840 set thread context of 2912	1840	spoolsv.exe	91
PID 2744 set thread context of 2508	2744	spoolsv.exe	93
PID 3016 set thread context of 2804	3016	spoolsv.exe	95
PID 668 set thread context of 2008	668	spoolsv.exe	97
PID 1452 set thread context of 2312	1452	spoolsv.exe	99
PID 2020 set thread context of 772	2020	spoolsv.exe	101
PID 2120 set thread context of 3068	2120	spoolsv.exe	103
PID 2164 set thread context of 2856	2164	spoolsv.exe	105
PID 2668 set thread context of 1056	2668	spoolsv.exe	107
PID 2344 set thread context of 1676	2344	spoolsv.exe	109
PID 2724 set thread context of 2212	2724	spoolsv.exe	111
PID 2024 set thread context of 2484	2024	spoolsv.exe	113
PID 2828 set thread context of 1504	2828	spoolsv.exe	115
PID 356 set thread context of 2428	356	spoolsv.exe	117
PID 1048 set thread context of 2232	1048	spoolsv.exe	119
PID 2104 set thread context of 1748	2104	spoolsv.exe	121
PID 2308 set thread context of 2676	2308	spoolsv.exe	123
PID 1988 set thread context of 2904	1988	spoolsv.exe	125
PID 484 set thread context of 2036	484	spoolsv.exe	127
PID 352 set thread context of 1236	352	spoolsv.exe	129
PID 1240 set thread context of 1160	1240	spoolsv.exe	131
PID 2028 set thread context of 1988	2028	spoolsv.exe	133
PID 2108 set thread context of 1068	2108	spoolsv.exe	135
PID 2168 set thread context of 2068	2168	spoolsv.exe	137
PID 1488 set thread context of 2748	1488	spoolsv.exe	139
PID 1112 set thread context of 1824	1112	spoolsv.exe	141
PID 2200 set thread context of 2140	2200	spoolsv.exe	143
PID 2556 set thread context of 3016	2556	spoolsv.exe	145
PID 2364 set thread context of 1776	2364	spoolsv.exe	147
PID 2120 set thread context of 2336	2120	spoolsv.exe	149
PID 2244 set thread context of 2144	2244	spoolsv.exe	151
PID 2900 set thread context of 1292	2900	spoolsv.exe	153
PID 3008 set thread context of 2548	3008	spoolsv.exe	155

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2584	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe
588	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
588	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
2584	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
2584	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
2428	explorer.exe
588	explorer.exe
588	explorer.exe
1652	spoolsv.exe
588	explorer.exe
588	explorer.exe
2204	spoolsv.exe
908	spoolsv.exe
556	spoolsv.exe
2248	spoolsv.exe
2328	spoolsv.exe
3020	spoolsv.exe
752	spoolsv.exe
2572	spoolsv.exe
1220	spoolsv.exe
2168	spoolsv.exe
300	spoolsv.exe
2080	spoolsv.exe
888	spoolsv.exe
1504	spoolsv.exe
2152	spoolsv.exe
1688	spoolsv.exe
2472	spoolsv.exe
1952	spoolsv.exe
880	spoolsv.exe
2484	spoolsv.exe
2248	spoolsv.exe
2668	spoolsv.exe
2888	spoolsv.exe
1888	spoolsv.exe
1904	spoolsv.exe
2336	spoolsv.exe
1840	spoolsv.exe
2744	spoolsv.exe
3016	spoolsv.exe
668	spoolsv.exe
1452	spoolsv.exe
2020	spoolsv.exe
2120	spoolsv.exe
2164	spoolsv.exe
2668	spoolsv.exe
2344	spoolsv.exe
2724	spoolsv.exe
2024	spoolsv.exe
2828	spoolsv.exe
356	spoolsv.exe
1048	spoolsv.exe
2104	spoolsv.exe
2308	spoolsv.exe
1988	spoolsv.exe
484	spoolsv.exe
352	spoolsv.exe
1240	spoolsv.exe
2028	spoolsv.exe
2108	spoolsv.exe
2168	spoolsv.exe
1488	spoolsv.exe
1112	spoolsv.exe
2200	spoolsv.exe
2556	spoolsv.exe
2364	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2636	2416	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	30
PID 2636 wrote to memory of 2820	2636	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2820	2636	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2820	2636	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2820	2636	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	31
PID 2636 wrote to memory of 2584	2636	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	32
PID 2636 wrote to memory of 2584	2636	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	32
PID 2636 wrote to memory of 2584	2636	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	32
PID 2636 wrote to memory of 2584	2636	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	32
PID 2636 wrote to memory of 2584	2636	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	32
PID 2636 wrote to memory of 2584	2636	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	32
PID 2584 wrote to memory of 2428	2584	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	33
PID 2584 wrote to memory of 2428	2584	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	33
PID 2584 wrote to memory of 2428	2584	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	33
PID 2584 wrote to memory of 2428	2584	f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe	33
PID 2428 wrote to memory of 1448	2428	explorer.exe	34
PID 2428 wrote to memory of 1448	2428	explorer.exe	34
PID 2428 wrote to memory of 1448	2428	explorer.exe	34
PID 2428 wrote to memory of 1448	2428	explorer.exe	34
PID 2428 wrote to memory of 1448	2428	explorer.exe	34
PID 2428 wrote to memory of 1448	2428	explorer.exe	34
PID 2428 wrote to memory of 1448	2428	explorer.exe	34
PID 2428 wrote to memory of 1448	2428	explorer.exe	34
PID 2428 wrote to memory of 1448	2428	explorer.exe	34
PID 2428 wrote to memory of 1448	2428	explorer.exe	34
PID 2428 wrote to memory of 1448	2428	explorer.exe	34
PID 2428 wrote to memory of 1448	2428	explorer.exe	34
PID 2428 wrote to memory of 1448	2428	explorer.exe	34
PID 2428 wrote to memory of 1448	2428	explorer.exe	34
PID 1448 wrote to memory of 588	1448	explorer.exe	35
PID 1448 wrote to memory of 588	1448	explorer.exe	35
PID 1448 wrote to memory of 588	1448	explorer.exe	35
PID 1448 wrote to memory of 588	1448	explorer.exe	35
PID 1448 wrote to memory of 588	1448	explorer.exe	35
PID 1448 wrote to memory of 588	1448	explorer.exe	35
PID 588 wrote to memory of 1652	588	explorer.exe	36
PID 588 wrote to memory of 1652	588	explorer.exe	36
PID 588 wrote to memory of 1652	588	explorer.exe	36
PID 588 wrote to memory of 1652	588	explorer.exe	36
PID 1652 wrote to memory of 2040	1652	spoolsv.exe	37
PID 1652 wrote to memory of 2040	1652	spoolsv.exe	37
PID 1652 wrote to memory of 2040	1652	spoolsv.exe	37
PID 1652 wrote to memory of 2040	1652	spoolsv.exe	37
PID 1652 wrote to memory of 2040	1652	spoolsv.exe	37
PID 1652 wrote to memory of 2040	1652	spoolsv.exe	37
PID 1652 wrote to memory of 2040	1652	spoolsv.exe	37
PID 1652 wrote to memory of 2040	1652	spoolsv.exe	37
PID 1652 wrote to memory of 2040	1652	spoolsv.exe	37
PID 1652 wrote to memory of 2040	1652	spoolsv.exe	37
PID 1652 wrote to memory of 2040	1652	spoolsv.exe	37
PID 1652 wrote to memory of 2040	1652	spoolsv.exe	37

C:\Users\Admin\AppData\Local\Temp\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2428
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1448
      - \??\c:\windows\system\explorer.exe
        
        "c:\windows\system\explorer.exe"
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2040
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4816
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2204
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2360
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:844
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:908
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:2256
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4588
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2704
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6488
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3020
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2860
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:2208
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:752
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1712
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4692
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2800
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1220
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2348
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6788
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:328
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:300
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1472
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4916
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2080
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2424
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6180
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:888
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2416
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6780
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2568
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2152
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2632
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1688
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:572
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6344
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2472
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2964
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:5500
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1952
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:880
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1740
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1728
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2932
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:7032
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2716
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6660
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1888
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:1656
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1904
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1220
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:5652
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2336
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:284
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:4296
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2912
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2744
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2508
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:7052
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Executes dropped EXE
        
        PID:2804
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6376
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:668
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:2008
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2312
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6028
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:772
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6672
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2120
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3068
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6036
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2164
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2856
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:5044
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2668
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:1056
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6352
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1676
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2724
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2212
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6380
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2828
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:356
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:2428
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2104
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1748
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2676
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6752
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2904
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:484
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:2036
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:352
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1236
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:7184
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1240
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1160
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:1988
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1068
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2068
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1488
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:2748
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1112
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1824
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:7196
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2140
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2364
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1776
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:2612
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2120
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2336
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2244
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2144
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2900
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        
        PID:3008
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2548
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2984
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:920
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:932
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:3000
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2288
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1980
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6884
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:580
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:1112
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:848
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:700
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3056
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6824
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1012
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2296
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6860
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:1856
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2288
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2756
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6960
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2152
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1916
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:352
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6820
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1672
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3008
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1976
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2744
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1496
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:2664
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3184
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3280
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:3364
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3468
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3544
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3612
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3692
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:3780
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3816
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:7104
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3956
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3976
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4064
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:2844
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3228
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3312
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3452
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3480
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:3576
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3672
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:7156
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3744
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3836
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3924
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3988
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6096
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3080
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3288
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:3400
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3520
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3632
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3732
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3968
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6800
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3088
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3144
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3388
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:3448
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6056
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:3556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6876
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:3868
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3956
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4036
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3504
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6868
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3788
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3936
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4024
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3524
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3884
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4052
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3080
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3344
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3616
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3104
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3276
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:5232
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3320
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3872
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:3664
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:3780
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3876
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3208
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3784
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4064
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3372
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3472
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4008
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3256
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3460
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6740
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:3384
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3592
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3616
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3552
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3108
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3340
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3936
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3436
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4008
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:3528
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3964
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6848
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4032
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3920
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3456
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3192
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3292
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6696
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3340
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3192
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4176
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4272
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4360
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4440
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4524
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4620
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4688
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4724
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4796
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4876
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:5004
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5064
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4260
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4180
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4424
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4500
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4680
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4808
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4988
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5088
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4132
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4344
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4460
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4536
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4656
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4764
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4960
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5076
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3704
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4124
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4280
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4508
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6892
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4848
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4872
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5004
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4124
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4484
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4640
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4656
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5048
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5116
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4168
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4192
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4560
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4548
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        Drops file in Windows directory
        
        PID:4744
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6808
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4976
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4984
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3728
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:5092
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4920
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4952
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4248
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4180
        
        \??\c:\windows\system\spoolsv.exe
        
        "c:\windows\system\spoolsv.exe"
        9⤵
        
        PID:6912
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4700
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:3468
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4804
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4896
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:4408
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5108
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        8⤵
        
        PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini

Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.6MB

MD5
5a02045f457bd9a36988f50c6f09dfb7

SHA1
135c474bd29599eb6cd586405cdf87f757d03c25

SHA256
a70fc512b4437fabaef376e886dca1cb82a3da54cc3af82e66d72dd1d4fa474a

SHA512
a7fa1e43541f17d9009b924d7933f205c25512eb19d629f1627d249feeb3c39965a68da76b8abd35f35b941afa3b12692b45ea3f603958cb37143b825a0decdf

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.6MB

MD5
a077ab0905f236be57b94636f55f2a6e

SHA1
ce30520be0b0a40bc7bcc3d8200e083db305036b

SHA256
dd622cd48f248869be21301a5f95db6b959359becc76e371f1391d67dde2f7a5

SHA512
3361525ddf5ac1309814a61791c7213135654e2b03fff995ab686610af06618a6a8fff3855be4e0ee5942ef23ef11745b031aa347f7fb0dcffc840a5c9548445

Download Submit
memory/844-5625-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/844-5443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1448-59-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1448-84-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1448-76-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1448-63-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2040-104-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2416-2-0x0000000000407000-0x0000000000408000-memory.dmp

Filesize
4KB

Download
memory/2428-58-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2428-54-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2584-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-30-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2636-6-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2636-23-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2636-37-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2636-7-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2636-5-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2636-4-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2636-3-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4520-5463-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4816-5352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download