Analysis
-
max time kernel
68s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 06:36
Behavioral task
behavioral1
Sample
f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
f9e89a54be27e315f73de9d44f96a2cd
-
SHA1
79112fe17aa6855daef82f89895750351dcbfae5
-
SHA256
49cfa3c3afb0e3c1a4f923ac103acdc3d7c89b08661e7c9c7bb75ae2f38a4419
-
SHA512
2cb735d53ec1ddd318f9cc9f3a94e1faf41beb487f56905ba26223cb579a138d5ff8efd534f08263cefe8300a4bb34cf6cb29ce632636dca0c0fd648069831e6
-
SSDEEP
49152:8coQxSBeKeiOSiFmoJggggLo40KDi3gp0XhCjyrln:86SIROiFJiwp0xlrln
Malware Config
Extracted
pony
http://don.service-master.eu/gate.php
-
payload_url
http://don.service-master.eu/shit.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" explorer.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe -
Executes dropped EXE 64 IoCs
pid Process 2728 explorer.exe 3028 explorer.exe 3396 explorer.exe 4696 spoolsv.exe 1760 spoolsv.exe 1068 spoolsv.exe 3512 spoolsv.exe 1460 spoolsv.exe 3416 spoolsv.exe 4772 spoolsv.exe 936 spoolsv.exe 1424 spoolsv.exe 1632 spoolsv.exe 1808 spoolsv.exe 4616 spoolsv.exe 4996 spoolsv.exe 316 spoolsv.exe 2920 spoolsv.exe 3560 spoolsv.exe 3708 spoolsv.exe 1764 spoolsv.exe 2076 spoolsv.exe 3232 spoolsv.exe 2660 spoolsv.exe 1364 spoolsv.exe 4120 spoolsv.exe 3576 spoolsv.exe 1840 spoolsv.exe 4420 spoolsv.exe 4428 spoolsv.exe 3824 spoolsv.exe 2544 spoolsv.exe 628 spoolsv.exe 1200 spoolsv.exe 208 spoolsv.exe 1040 spoolsv.exe 3240 spoolsv.exe 2184 spoolsv.exe 4544 spoolsv.exe 1428 spoolsv.exe 2736 spoolsv.exe 4880 spoolsv.exe 4120 spoolsv.exe 1968 spoolsv.exe 232 spoolsv.exe 840 spoolsv.exe 4436 spoolsv.exe 5096 spoolsv.exe 2396 spoolsv.exe 624 spoolsv.exe 3040 spoolsv.exe 1164 spoolsv.exe 3624 spoolsv.exe 2148 spoolsv.exe 4232 spoolsv.exe 4108 spoolsv.exe 2548 spoolsv.exe 3220 spoolsv.exe 1472 spoolsv.exe 2708 spoolsv.exe 1808 spoolsv.exe 2020 spoolsv.exe 3000 spoolsv.exe 3172 spoolsv.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Suspicious use of SetThreadContext 64 IoCs
description pid Process procid_target PID 3488 set thread context of 4636 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 82 PID 4636 set thread context of 3224 4636 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 92 PID 2728 set thread context of 3028 2728 explorer.exe 94 PID 3028 set thread context of 3396 3028 explorer.exe 97 PID 4696 set thread context of 1760 4696 spoolsv.exe 99 PID 1068 set thread context of 3512 1068 spoolsv.exe 101 PID 1460 set thread context of 3416 1460 spoolsv.exe 103 PID 4772 set thread context of 936 4772 spoolsv.exe 105 PID 1424 set thread context of 1632 1424 spoolsv.exe 107 PID 1808 set thread context of 4616 1808 spoolsv.exe 109 PID 4996 set thread context of 316 4996 spoolsv.exe 111 PID 2920 set thread context of 3560 2920 spoolsv.exe 113 PID 3708 set thread context of 1764 3708 spoolsv.exe 115 PID 2076 set thread context of 3232 2076 spoolsv.exe 117 PID 2660 set thread context of 1364 2660 spoolsv.exe 119 PID 4120 set thread context of 3576 4120 spoolsv.exe 121 PID 1840 set thread context of 4420 1840 spoolsv.exe 123 PID 4428 set thread context of 3824 4428 spoolsv.exe 125 PID 2544 set thread context of 628 2544 spoolsv.exe 127 PID 1200 set thread context of 208 1200 spoolsv.exe 129 PID 1040 set thread context of 3240 1040 spoolsv.exe 131 PID 2184 set thread context of 4544 2184 spoolsv.exe 133 PID 1428 set thread context of 2736 1428 spoolsv.exe 135 PID 4880 set thread context of 4120 4880 spoolsv.exe 137 PID 1968 set thread context of 232 1968 spoolsv.exe 139 PID 840 set thread context of 4436 840 spoolsv.exe 141 PID 5096 set thread context of 2396 5096 spoolsv.exe 143 PID 624 set thread context of 3040 624 spoolsv.exe 145 PID 1164 set thread context of 3624 1164 spoolsv.exe 147 PID 2148 set thread context of 4232 2148 spoolsv.exe 149 PID 4108 set thread context of 2548 4108 spoolsv.exe 151 PID 3220 set thread context of 1472 3220 spoolsv.exe 153 PID 2708 set thread context of 1808 2708 spoolsv.exe 155 PID 2020 set thread context of 3000 2020 spoolsv.exe 157 PID 3172 set thread context of 1160 3172 spoolsv.exe 159 PID 1892 set thread context of 5036 1892 spoolsv.exe 161 PID 544 set thread context of 1664 544 spoolsv.exe 163 PID 3584 set thread context of 2784 3584 spoolsv.exe 165 PID 60 set thread context of 1200 60 spoolsv.exe 167 PID 4916 set thread context of 3700 4916 spoolsv.exe 169 PID 3412 set thread context of 4672 3412 spoolsv.exe 171 PID 5172 set thread context of 5376 5172 spoolsv.exe 173 PID 5460 set thread context of 5496 5460 spoolsv.exe 175 PID 5612 set thread context of 5780 5612 spoolsv.exe 177 PID 5912 set thread context of 5936 5912 spoolsv.exe 179 PID 5976 set thread context of 6040 5976 spoolsv.exe 181 PID 6076 set thread context of 6100 6076 spoolsv.exe 183 PID 6128 set thread context of 4400 6128 spoolsv.exe 185 PID 5188 set thread context of 5244 5188 spoolsv.exe 187 PID 5604 set thread context of 5672 5604 spoolsv.exe 189 PID 5748 set thread context of 5812 5748 spoolsv.exe 191 PID 5996 set thread context of 6020 5996 spoolsv.exe 193 PID 5252 set thread context of 5216 5252 spoolsv.exe 195 PID 5556 set thread context of 5796 5556 spoolsv.exe 197 PID 5752 set thread context of 5892 5752 spoolsv.exe 199 PID 920 set thread context of 2684 920 spoolsv.exe 201 PID 5272 set thread context of 5312 5272 spoolsv.exe 203 PID 5704 set thread context of 5636 5704 spoolsv.exe 205 PID 6016 set thread context of 1568 6016 spoolsv.exe 207 PID 5856 set thread context of 5852 5856 spoolsv.exe 209 PID 6056 set thread context of 6012 6056 spoolsv.exe 211 PID 4340 set thread context of 5304 4340 spoolsv.exe 213 PID 5680 set thread context of 5808 5680 spoolsv.exe 215 PID 6084 set thread context of 5412 6084 spoolsv.exe 217 -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification C:\Windows\Parameters.ini spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe File opened for modification \??\c:\windows\system\spoolsv.exe spoolsv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3224 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 3224 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe 3396 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3396 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 3224 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 3224 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 2728 explorer.exe 3396 explorer.exe 3396 explorer.exe 4696 spoolsv.exe 3396 explorer.exe 3396 explorer.exe 1068 spoolsv.exe 1460 spoolsv.exe 4772 spoolsv.exe 1424 spoolsv.exe 1808 spoolsv.exe 4996 spoolsv.exe 2920 spoolsv.exe 3708 spoolsv.exe 2076 spoolsv.exe 2660 spoolsv.exe 4120 spoolsv.exe 1840 spoolsv.exe 4428 spoolsv.exe 2544 spoolsv.exe 1200 spoolsv.exe 1040 spoolsv.exe 2184 spoolsv.exe 1428 spoolsv.exe 4880 spoolsv.exe 1968 spoolsv.exe 840 spoolsv.exe 5096 spoolsv.exe 624 spoolsv.exe 1164 spoolsv.exe 2148 spoolsv.exe 4108 spoolsv.exe 3220 spoolsv.exe 2708 spoolsv.exe 2020 spoolsv.exe 3172 spoolsv.exe 1892 spoolsv.exe 544 spoolsv.exe 3584 spoolsv.exe 60 spoolsv.exe 4916 spoolsv.exe 3412 spoolsv.exe 5172 spoolsv.exe 5460 spoolsv.exe 5612 spoolsv.exe 5912 spoolsv.exe 5976 spoolsv.exe 6076 spoolsv.exe 6128 spoolsv.exe 5188 spoolsv.exe 5604 spoolsv.exe 5748 spoolsv.exe 5996 spoolsv.exe 5252 spoolsv.exe 5556 spoolsv.exe 5752 spoolsv.exe 920 spoolsv.exe 5272 spoolsv.exe 5704 spoolsv.exe 6016 spoolsv.exe 5856 spoolsv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3488 wrote to memory of 4636 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 82 PID 3488 wrote to memory of 4636 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 82 PID 3488 wrote to memory of 4636 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 82 PID 3488 wrote to memory of 4636 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 82 PID 3488 wrote to memory of 4636 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 82 PID 3488 wrote to memory of 4636 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 82 PID 3488 wrote to memory of 4636 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 82 PID 3488 wrote to memory of 4636 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 82 PID 3488 wrote to memory of 4636 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 82 PID 3488 wrote to memory of 4636 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 82 PID 3488 wrote to memory of 4636 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 82 PID 3488 wrote to memory of 4636 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 82 PID 3488 wrote to memory of 4636 3488 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 82 PID 4636 wrote to memory of 3948 4636 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 83 PID 4636 wrote to memory of 3948 4636 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 83 PID 4636 wrote to memory of 3224 4636 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 92 PID 4636 wrote to memory of 3224 4636 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 92 PID 4636 wrote to memory of 3224 4636 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 92 PID 4636 wrote to memory of 3224 4636 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 92 PID 4636 wrote to memory of 3224 4636 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 92 PID 3224 wrote to memory of 2728 3224 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 93 PID 3224 wrote to memory of 2728 3224 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 93 PID 3224 wrote to memory of 2728 3224 f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe 93 PID 2728 wrote to memory of 3028 2728 explorer.exe 94 PID 2728 wrote to memory of 3028 2728 explorer.exe 94 PID 2728 wrote to memory of 3028 2728 explorer.exe 94 PID 2728 wrote to memory of 3028 2728 explorer.exe 94 PID 2728 wrote to memory of 3028 2728 explorer.exe 94 PID 2728 wrote to memory of 3028 2728 explorer.exe 94 PID 2728 wrote to memory of 3028 2728 explorer.exe 94 PID 2728 wrote to memory of 3028 2728 explorer.exe 94 PID 2728 wrote to memory of 3028 2728 explorer.exe 94 PID 2728 wrote to memory of 3028 2728 explorer.exe 94 PID 2728 wrote to memory of 3028 2728 explorer.exe 94 PID 2728 wrote to memory of 3028 2728 explorer.exe 94 PID 2728 wrote to memory of 3028 2728 explorer.exe 94 PID 3028 wrote to memory of 3396 3028 explorer.exe 97 PID 3028 wrote to memory of 3396 3028 explorer.exe 97 PID 3028 wrote to memory of 3396 3028 explorer.exe 97 PID 3028 wrote to memory of 3396 3028 explorer.exe 97 PID 3028 wrote to memory of 3396 3028 explorer.exe 97 PID 3396 wrote to memory of 4696 3396 explorer.exe 98 PID 3396 wrote to memory of 4696 3396 explorer.exe 98 PID 3396 wrote to memory of 4696 3396 explorer.exe 98 PID 4696 wrote to memory of 1760 4696 spoolsv.exe 99 PID 4696 wrote to memory of 1760 4696 spoolsv.exe 99 PID 4696 wrote to memory of 1760 4696 spoolsv.exe 99 PID 4696 wrote to memory of 1760 4696 spoolsv.exe 99 PID 4696 wrote to memory of 1760 4696 spoolsv.exe 99 PID 4696 wrote to memory of 1760 4696 spoolsv.exe 99 PID 4696 wrote to memory of 1760 4696 spoolsv.exe 99 PID 4696 wrote to memory of 1760 4696 spoolsv.exe 99 PID 4696 wrote to memory of 1760 4696 spoolsv.exe 99 PID 4696 wrote to memory of 1760 4696 spoolsv.exe 99 PID 4696 wrote to memory of 1760 4696 spoolsv.exe 99 PID 4696 wrote to memory of 1760 4696 spoolsv.exe 99 PID 4696 wrote to memory of 1760 4696 spoolsv.exe 99 PID 3396 wrote to memory of 1068 3396 explorer.exe 100 PID 3396 wrote to memory of 1068 3396 explorer.exe 100 PID 3396 wrote to memory of 1068 3396 explorer.exe 100 PID 1068 wrote to memory of 3512 1068 spoolsv.exe 101 PID 1068 wrote to memory of 3512 1068 spoolsv.exe 101 PID 1068 wrote to memory of 3512 1068 spoolsv.exe 101 PID 1068 wrote to memory of 3512 1068 spoolsv.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe"2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:3948
-
-
C:\Users\Admin\AppData\Local\Temp\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9e89a54be27e315f73de9d44f96a2cd_JaffaCakes118.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
\??\c:\windows\system\explorer.exe"c:\windows\system\explorer.exe"6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3396 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1760 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10780
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3512 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10772
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1460 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3416 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10760
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4772 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:936 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10336
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1424 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1632 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10316
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1808 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:4616 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10168
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4996 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:316 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10568
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2920 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3560 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:11184
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1764 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:11024
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2076 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3232 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10808
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2660 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1364 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:11032
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4120 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:3576 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:11168
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1840 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4420 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6452
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4428 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3824 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:11208
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2544 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:628 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:11012
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1200 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:208 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:11232
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1040 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3240 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10380
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2184 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:4544 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:11092
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1428 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2736 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4668
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4880 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:4120 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3904
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1968 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:232 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1580
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:840 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4436 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1836
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5096 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2396 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2392
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:624 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2148
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1164 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3624 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10516
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2148 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:4232 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3132
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4108 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2548 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5688
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3220 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1472 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:11136
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2708 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1808 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10408
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2020 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Executes dropped EXE
PID:3000 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5772
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3172 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1160 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5848
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1892 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:5036 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6076
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:544 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:1664 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10460
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3584 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2784
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2144
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:60 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:1200 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1652
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4916 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:3700 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6320
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3412 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:4672 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2704
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5172 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5376
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5280
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5460 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:5496 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2788
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5612 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5780
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10312
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5912 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:5936 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3536
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5976 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6040
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10440
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6076 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6100
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5232
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6128 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4400
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10160
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5188 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:5244 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2120
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5604 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5672
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1888
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5748 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:5812 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3036
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5996 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:6020 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7136
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5252 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:5216 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1064
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5556 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5796
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4520
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5752 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:5892 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10944
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:920 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2684
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5692
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5272 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:5312 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6088
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5704 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5636
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:3872
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6016 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:1568 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:5740
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5856 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5852
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:412
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:6056 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6012
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7896
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4340 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5304
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:7420
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
PID:5680 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:5808 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:4960
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6084 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:5412 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6516
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5764
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:5584 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6800
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5528 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:5184 -
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6552
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5168 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5528
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:536
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5352 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5264
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:1120
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- System Location Discovery: System Language Discovery
PID:5764 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5592
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:868
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe10⤵PID:6108
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe11⤵PID:3276
-
-
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:6004 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5336
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:11156
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5196
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5560
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:224
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:5764 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5408
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:2332
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6128
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5864
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:6968
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5168 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵
- System Location Discovery: System Language Discovery
PID:5552
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- System Location Discovery: System Language Discovery
PID:5196 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1016
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10264
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵
- Drops file in Windows directory
PID:6164 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6300
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6404
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6440
-
\??\c:\windows\system\spoolsv.exe"c:\windows\system\spoolsv.exe"9⤵PID:10308
-
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6516
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6620
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6876
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6912
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6964
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6988
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7152
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6268
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6368
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6456
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6600
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6636
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6664
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6700
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6752
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6772
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6920
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7108
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:536
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6208
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6336
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6780
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6876
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7084
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6296
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6196
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6524
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6796
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6284
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6592
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:920
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6188
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6996
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7072
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:920
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6252
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6256
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6568
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7048
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6316
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7024
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6908
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:920
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6564
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6256
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7016
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7068
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3184
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5764
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6560
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7180
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7304
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7384
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7444
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7648
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7676
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7724
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7784
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7840
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7876
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7996
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8072
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7296
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7268
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7660
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7732
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8016
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:920
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7204
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7232
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7396
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7452
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7492
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7516
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7556
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7608
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7956
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8136
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7596
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7884
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7840
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7980
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6236
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7300
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7468
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7768
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7984
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8084
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8160
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8044
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7096
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6628
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7996
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7188
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8148
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7496
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7560
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7988
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7972
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7976
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8180
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8128
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7064
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5764
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7184
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7204
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7956
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:404
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6600
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8016
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7984
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8008
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7184
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8324
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8388
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8412
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8496
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8520
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8560
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8608
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8660
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8688
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8728
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8764
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8876
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9004
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9160
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9184
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8208
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8224
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8252
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8340
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8732
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8940
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8976
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9036
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9100
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8240
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8252
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8512
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8780
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8812
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8844
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8920
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9016
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4844
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8364
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8564
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4472
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9164
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8892
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9168
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8280
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9084
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8468
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8684
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8364
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8820
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8904
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2136
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8988
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3876
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8884
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7248
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8180
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5088
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8508
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8572
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8852
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9012
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8976
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9068
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8312
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8504
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7184
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8364
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8988
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3804
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8912
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7184
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8988
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8844
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9268
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9292
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9388
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9428
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9504
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9544
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9608
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9632
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9720
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9916
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:10044
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10108
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9424
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9508
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9684
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9844
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:10196
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9736
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8988
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10224
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9652
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9892
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:10144
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5276
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9848
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9984
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9624
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9608
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9696
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9804
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:10208
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9868
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9900
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9760
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:10024
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9968
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9832
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10148
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9288
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10048
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9560
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9536
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9748
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10136
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9784
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9812
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9992
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9988
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:10168
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9832
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:10212
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10220
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:10144
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9724
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9848
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8896
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9524
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10212
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:10448
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10492
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:10528
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10552
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:10636
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10672
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:10932
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10980
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:11136
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:11240
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1044
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10848
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1852
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5804
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5388
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7152
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2104
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5344
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5736
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1040
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7592
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9800
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4888
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:11124
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7520
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5096
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7004
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1984
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4332
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:696
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5580
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2376
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7000
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7552
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3112
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1180
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6920
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6808
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5776
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8532
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7776
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6444
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5640
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4596
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:984
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2612
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1044
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6944
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:11180
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2480
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2112
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10052
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6980
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6260
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6080
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1184
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4432
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:180
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4996
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:2076
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3504
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5912
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5348
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:408
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5360
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:624
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8020
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6224
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3936
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10384
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4588
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4004
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7928
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:10816
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6648
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1460
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1552
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5644
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5468
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7800
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5328
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8064
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2224
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:9664
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8952
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:4008
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5720
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6848
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1396
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3024
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1904
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8780
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8304
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:1948
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5788
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3620
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3960
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6484
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3828
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6228
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:7012
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6296
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5128
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5928
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4268
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3212
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5268
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5836
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5580
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:5444
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:5332
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:11236
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4716
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6792
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8140
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8296
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:8904
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8152
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:9440
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:8476
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:6976
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6400
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:10592
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6604
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:4340
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:7092
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:2236
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6276
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:1008
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:3080
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3376
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE8⤵PID:6120
-
-
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE7⤵PID:3968
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:1576
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74B
MD56687785d6a31cdf9a5f80acb3abc459b
SHA11ddda26cc18189770eaaa4a9e78cc4abe4fe39c9
SHA2563b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b
SHA5125fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962
-
Filesize
2.6MB
MD57095a38546034f31f18058e0433f8159
SHA175cc892d3f2b3e2bfe5b3a3a99631779734f25e5
SHA2569f8f8fe12e8a38ea8c75020d2d12e55fc1ecb040709e424677aa65085e633707
SHA512fbd8eece7f137457e5f94c275ee4bf3e6227cb2afbf146f37932e5559e8579f5e6a618bae82cf44232020305454eccaed9db6fd3a9f40b1e296eeb6ea6f8a099
-
Filesize
2.6MB
MD53e773cb995325ebd78fa360529f5be6c
SHA1eacba0eef61dba9e025b1e04a85460c79b4345ed
SHA256a7f0c133a5e87f44b977131a7b0597db9fdca17ed835df07395842ea9589f060
SHA5120542d5d7709578b02b7c1a7068ec9400482a2aba653d81dcdce6344b58987f4e44804455d1dc523e5e8af020795ff00cd4faa3b625bab92afe42f191d12e2cf1