warzonerat | 509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647

Analysis

max time kernel
150s
max time network
17s
platform
windows7_x64
resource
win7v20210408
submitted
04-05-2021 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
Size

1.8MB
MD5

c751650a93ae7535b12bd544e878cb92
SHA1

0b73c8c183250ea62d5c076a3740dd4ba3987fe6
SHA256

509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647
SHA512

cd840ea9c8000e24d42f53077acf44c595578c3113efe23ef1e6b0a75e98d36fc9c521589225cd24fca91e9a8bde1280106f47901b3b2db3aa78ec164cd6cb40

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
368	explorer.exe
1552	explorer.exe
1044	spoolsv.exe
1152	spoolsv.exe
328	spoolsv.exe
436	spoolsv.exe
1428	spoolsv.exe
2012	spoolsv.exe
828	spoolsv.exe
1320	spoolsv.exe
912	spoolsv.exe
1340	spoolsv.exe
1540	spoolsv.exe
520	spoolsv.exe
1648	spoolsv.exe
1740	spoolsv.exe
1512	spoolsv.exe
1264	spoolsv.exe
860	spoolsv.exe
1880	spoolsv.exe
1600	spoolsv.exe
1248	spoolsv.exe
1052	spoolsv.exe
1028	spoolsv.exe
1888	spoolsv.exe
1828	spoolsv.exe
1328	spoolsv.exe
1192	spoolsv.exe
1260	spoolsv.exe
1588	spoolsv.exe
2024	spoolsv.exe
1288	spoolsv.exe
920	spoolsv.exe
676	spoolsv.exe
940	spoolsv.exe
1800	spoolsv.exe
560	spoolsv.exe
2000	spoolsv.exe
1344	spoolsv.exe
1972	spoolsv.exe
540	spoolsv.exe
1112	spoolsv.exe
1144	spoolsv.exe
1580	spoolsv.exe
1652	spoolsv.exe
972	spoolsv.exe
864	spoolsv.exe
1572	spoolsv.exe
1268	spoolsv.exe
2004	spoolsv.exe
1616	spoolsv.exe
1620	spoolsv.exe
1156	spoolsv.exe
764	spoolsv.exe
1312	spoolsv.exe
1792	spoolsv.exe
1488	spoolsv.exe
1080	spoolsv.exe
1032	spoolsv.exe
632	spoolsv.exe
932	spoolsv.exe
1532	spoolsv.exe
1136	spoolsv.exe
1980	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exeexplorer.exe

pid	process
360	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
360	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2004 set thread context of 360	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
PID 2004 set thread context of 1084	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	diskperf.exe
PID 368 set thread context of 1552	368	explorer.exe	explorer.exe
PID 368 set thread context of 1836	368	explorer.exe	diskperf.exe
PID 1044 set thread context of 3324	1044	spoolsv.exe	spoolsv.exe
PID 1044 set thread context of 3332	1044	spoolsv.exe	diskperf.exe
PID 1152 set thread context of 3388	1152	spoolsv.exe	spoolsv.exe
PID 1152 set thread context of 3396	1152	spoolsv.exe	diskperf.exe
PID 328 set thread context of 3424	328	spoolsv.exe	spoolsv.exe
PID 328 set thread context of 3432	328	spoolsv.exe	diskperf.exe
PID 436 set thread context of 3456	436	spoolsv.exe	spoolsv.exe
PID 436 set thread context of 3464	436	spoolsv.exe	diskperf.exe
PID 1428 set thread context of 3492	1428	spoolsv.exe	spoolsv.exe
PID 1428 set thread context of 3500	1428	spoolsv.exe	diskperf.exe
PID 2012 set thread context of 3528	2012	spoolsv.exe	spoolsv.exe
PID 2012 set thread context of 3536	2012	spoolsv.exe	diskperf.exe
PID 828 set thread context of 3568	828	spoolsv.exe	spoolsv.exe
PID 828 set thread context of 3576	828	spoolsv.exe	diskperf.exe
PID 1320 set thread context of 3604	1320	spoolsv.exe	spoolsv.exe
PID 1320 set thread context of 3612	1320	spoolsv.exe	diskperf.exe
PID 912 set thread context of 3640	912	spoolsv.exe	spoolsv.exe
PID 912 set thread context of 3648	912	spoolsv.exe	diskperf.exe
PID 1340 set thread context of 3676	1340	spoolsv.exe	spoolsv.exe
PID 1340 set thread context of 3684	1340	spoolsv.exe	diskperf.exe
PID 1540 set thread context of 3712	1540	spoolsv.exe	spoolsv.exe
PID 1540 set thread context of 3720	1540	spoolsv.exe	diskperf.exe
PID 520 set thread context of 3748	520	spoolsv.exe	spoolsv.exe
PID 520 set thread context of 3756	520	spoolsv.exe	diskperf.exe
PID 1648 set thread context of 3780	1648	spoolsv.exe	spoolsv.exe
PID 1648 set thread context of 3788	1648	spoolsv.exe	diskperf.exe
PID 1740 set thread context of 3808	1740	spoolsv.exe	spoolsv.exe
PID 1740 set thread context of 3816	1740	spoolsv.exe	diskperf.exe
PID 1512 set thread context of 3836	1512	spoolsv.exe	spoolsv.exe
PID 1512 set thread context of 3844	1512	spoolsv.exe	diskperf.exe
PID 1264 set thread context of 3864	1264	spoolsv.exe	spoolsv.exe
PID 1264 set thread context of 3872	1264	spoolsv.exe	diskperf.exe
PID 860 set thread context of 3892	860	spoolsv.exe	spoolsv.exe
PID 860 set thread context of 3900	860	spoolsv.exe	diskperf.exe
PID 1880 set thread context of 3920	1880	spoolsv.exe	spoolsv.exe
PID 1880 set thread context of 3928	1880	spoolsv.exe	diskperf.exe
PID 1600 set thread context of 3948	1600	spoolsv.exe	spoolsv.exe
PID 1600 set thread context of 3956	1600	spoolsv.exe	diskperf.exe
PID 1248 set thread context of 3984	1248	spoolsv.exe	spoolsv.exe
PID 1248 set thread context of 4004	1248	spoolsv.exe	diskperf.exe
PID 1052 set thread context of 4012	1052	spoolsv.exe	spoolsv.exe
PID 1052 set thread context of 4024	1052	spoolsv.exe	diskperf.exe
PID 1028 set thread context of 4032	1028	spoolsv.exe	spoolsv.exe
PID 1028 set thread context of 4040	1028	spoolsv.exe	diskperf.exe
PID 1888 set thread context of 4048	1888	spoolsv.exe	spoolsv.exe
PID 1828 set thread context of 4056	1828	spoolsv.exe	spoolsv.exe
PID 1888 set thread context of 4076	1888	spoolsv.exe	diskperf.exe
PID 1328 set thread context of 4092	1328	spoolsv.exe	spoolsv.exe
PID 1828 set thread context of 4084	1828	spoolsv.exe	diskperf.exe
PID 1328 set thread context of 456	1328	spoolsv.exe	diskperf.exe
PID 1192 set thread context of 3356	1192	spoolsv.exe	spoolsv.exe
PID 1192 set thread context of 3352	1192	spoolsv.exe	diskperf.exe
PID 1260 set thread context of 656	1260	spoolsv.exe	spoolsv.exe
PID 1588 set thread context of 3440	1588	spoolsv.exe	spoolsv.exe
PID 1260 set thread context of 1752	1260	spoolsv.exe	diskperf.exe
PID 1588 set thread context of 1720	1588	spoolsv.exe	diskperf.exe
PID 2024 set thread context of 3484	2024	spoolsv.exe	spoolsv.exe
PID 1288 set thread context of 3460	1288	spoolsv.exe	spoolsv.exe
PID 1288 set thread context of 3524	1288	spoolsv.exe	diskperf.exe
PID 2024 set thread context of 3520	2024	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exe509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exeexplorer.exe

pid	process
360	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1552 explorer.exe

pid	process
1552	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
360	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
360	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
1552	explorer.exe
3324	spoolsv.exe
3324	spoolsv.exe
3388	spoolsv.exe
3388	spoolsv.exe
3424	spoolsv.exe
3424	spoolsv.exe
3456	spoolsv.exe
3456	spoolsv.exe
3492	spoolsv.exe
3492	spoolsv.exe
3528	spoolsv.exe
3528	spoolsv.exe
3568	spoolsv.exe
3568	spoolsv.exe
3604	spoolsv.exe
3604	spoolsv.exe
3640	spoolsv.exe
3640	spoolsv.exe
3676	spoolsv.exe
3676	spoolsv.exe
3712	spoolsv.exe
3712	spoolsv.exe
3748	spoolsv.exe
3748	spoolsv.exe
3780	spoolsv.exe
3780	spoolsv.exe
3808	spoolsv.exe
3808	spoolsv.exe
3836	spoolsv.exe
3836	spoolsv.exe
3864	spoolsv.exe
3864	spoolsv.exe
3892	spoolsv.exe
3892	spoolsv.exe
3920	spoolsv.exe
3920	spoolsv.exe
3948	spoolsv.exe
3948	spoolsv.exe
3984	spoolsv.exe
3984	spoolsv.exe
4012	spoolsv.exe
4012	spoolsv.exe
4032	spoolsv.exe
4032	spoolsv.exe
4048	spoolsv.exe
4048	spoolsv.exe
4056	spoolsv.exe
4056	spoolsv.exe
4092	spoolsv.exe
4092	spoolsv.exe
3356	spoolsv.exe
3356	spoolsv.exe
656	spoolsv.exe
656	spoolsv.exe
3440	spoolsv.exe
3440	spoolsv.exe
3484	spoolsv.exe
3460	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2004 wrote to memory of 360	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
PID 2004 wrote to memory of 360	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
PID 2004 wrote to memory of 360	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
PID 2004 wrote to memory of 360	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
PID 2004 wrote to memory of 360	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
PID 2004 wrote to memory of 360	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
PID 2004 wrote to memory of 360	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
PID 2004 wrote to memory of 360	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
PID 2004 wrote to memory of 360	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
PID 2004 wrote to memory of 1084	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	diskperf.exe
PID 2004 wrote to memory of 1084	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	diskperf.exe
PID 2004 wrote to memory of 1084	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	diskperf.exe
PID 2004 wrote to memory of 1084	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	diskperf.exe
PID 2004 wrote to memory of 1084	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	diskperf.exe
PID 2004 wrote to memory of 1084	2004	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	diskperf.exe
PID 360 wrote to memory of 368	360	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	explorer.exe
PID 360 wrote to memory of 368	360	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	explorer.exe
PID 360 wrote to memory of 368	360	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	explorer.exe
PID 360 wrote to memory of 368	360	509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe	explorer.exe
PID 368 wrote to memory of 1552	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 1552	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 1552	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 1552	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 1552	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 1552	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 1552	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 1552	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 1552	368	explorer.exe	explorer.exe
PID 368 wrote to memory of 1836	368	explorer.exe	diskperf.exe
PID 368 wrote to memory of 1836	368	explorer.exe	diskperf.exe
PID 368 wrote to memory of 1836	368	explorer.exe	diskperf.exe
PID 368 wrote to memory of 1836	368	explorer.exe	diskperf.exe
PID 368 wrote to memory of 1836	368	explorer.exe	diskperf.exe
PID 368 wrote to memory of 1836	368	explorer.exe	diskperf.exe
PID 1552 wrote to memory of 1044	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 1044	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 1044	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 1044	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 1152	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 1152	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 1152	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 1152	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 328	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 328	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 328	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 328	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 436	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 436	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 436	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 436	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 1428	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 1428	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 1428	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 1428	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 2012	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 2012	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 2012	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 2012	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 828	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 828	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 828	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 828	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 1320	1552	explorer.exe	spoolsv.exe
PID 1552 wrote to memory of 1320	1552	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
"C:\Users\Admin\AppData\Local\Temp\509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe
"C:\Users\Admin\AppData\Local\Temp\509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:360

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:368

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3324

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3380

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3388

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3408

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3424

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3448

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3456

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3476

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3492

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3528

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3548

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3568

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3604

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3640

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3668

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3676

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3712

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3732

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3748

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3780

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3800

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3808

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3828

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3836

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3856

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3864

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3884

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3892

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3920

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3948

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3984

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3996

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4048

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4068

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4056

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1328

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3356

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3404

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:656

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3440

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3588

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3620

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3492

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3544

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:832

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3664

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3704

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3728

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3764

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3880

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3952

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4016

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:960

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4036

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4060

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4064

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1584

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3360

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3428

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3472

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3492

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:832

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3692

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3752

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:396

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3728

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Adds Run key to start application
PID:1240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1584

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Adds Run key to start application
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Adds Run key to start application
PID:552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1392

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Adds Run key to start application
PID:1376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Adds Run key to start application
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Adds Run key to start application
PID:1564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Adds Run key to start application
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:800

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Adds Run key to start application
PID:1100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1592

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Adds Run key to start application
PID:1680

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1400

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3784

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1332

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1840

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4108

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1784

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:652

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4140

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3372

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1836

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1084

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
c751650a93ae7535b12bd544e878cb92

SHA1
0b73c8c183250ea62d5c076a3740dd4ba3987fe6

SHA256
509fb9cf9464493c4f2e1ee6479f8e7f92fa6f2ac53eb0ae4490dc7b94576647

SHA512
cd840ea9c8000e24d42f53077acf44c595578c3113efe23ef1e6b0a75e98d36fc9c521589225cd24fca91e9a8bde1280106f47901b3b2db3aa78ec164cd6cb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
2f8e55a282d0327078e12f2746470a40

SHA1
192e108af7474ea602429e93c0fce7947c0ede7b

SHA256
7293da0005aea59e0904f6eb665d5337c4a231970a0c940a74ea2eb381d7036c

SHA512
ebd67526bd166e8add958b612650497981aecf6aafbb93c6a79397b71e6264c2da7505d6b9bc193451df042a328e4a277c0354c2bb5b2db4681e8b39268e7843

Download Submit
C:\Windows\system\explorer.exe
MD5
2f8e55a282d0327078e12f2746470a40

SHA1
192e108af7474ea602429e93c0fce7947c0ede7b

SHA256
7293da0005aea59e0904f6eb665d5337c4a231970a0c940a74ea2eb381d7036c

SHA512
ebd67526bd166e8add958b612650497981aecf6aafbb93c6a79397b71e6264c2da7505d6b9bc193451df042a328e4a277c0354c2bb5b2db4681e8b39268e7843

Download Submit
C:\Windows\system\explorer.exe
MD5
2f8e55a282d0327078e12f2746470a40

SHA1
192e108af7474ea602429e93c0fce7947c0ede7b

SHA256
7293da0005aea59e0904f6eb665d5337c4a231970a0c940a74ea2eb381d7036c

SHA512
ebd67526bd166e8add958b612650497981aecf6aafbb93c6a79397b71e6264c2da7505d6b9bc193451df042a328e4a277c0354c2bb5b2db4681e8b39268e7843

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\??\c:\windows\system\explorer.exe
MD5
2f8e55a282d0327078e12f2746470a40

SHA1
192e108af7474ea602429e93c0fce7947c0ede7b

SHA256
7293da0005aea59e0904f6eb665d5337c4a231970a0c940a74ea2eb381d7036c

SHA512
ebd67526bd166e8add958b612650497981aecf6aafbb93c6a79397b71e6264c2da7505d6b9bc193451df042a328e4a277c0354c2bb5b2db4681e8b39268e7843

Download Submit
\Windows\system\explorer.exe
MD5
2f8e55a282d0327078e12f2746470a40

SHA1
192e108af7474ea602429e93c0fce7947c0ede7b

SHA256
7293da0005aea59e0904f6eb665d5337c4a231970a0c940a74ea2eb381d7036c

SHA512
ebd67526bd166e8add958b612650497981aecf6aafbb93c6a79397b71e6264c2da7505d6b9bc193451df042a328e4a277c0354c2bb5b2db4681e8b39268e7843

Download Submit
\Windows\system\explorer.exe
MD5
2f8e55a282d0327078e12f2746470a40

SHA1
192e108af7474ea602429e93c0fce7947c0ede7b

SHA256
7293da0005aea59e0904f6eb665d5337c4a231970a0c940a74ea2eb381d7036c

SHA512
ebd67526bd166e8add958b612650497981aecf6aafbb93c6a79397b71e6264c2da7505d6b9bc193451df042a328e4a277c0354c2bb5b2db4681e8b39268e7843

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
\Windows\system\spoolsv.exe
MD5
5a8ab693534f993748d95040e500c98e

SHA1
19ca65ffd17c095df65d7c5b00e930d65ddb2263

SHA256
3c0b99e71e4d0068e35a304694c799f1afc41cc2dc63ef2e6639e378eb823489

SHA512
1cd4e2ab62dc7cccd5b65490970d07e36caee94e6112ed72f0a5e8245a7d448ce7361600a03005437cbbd9d946d818ff4fd91cd652cbf05c23fac3baa0eeafc9

Download Submit
memory/328-107-0x0000000000000000-mapping.dmp

Download
memory/360-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/360-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/360-63-0x0000000000403670-mapping.dmp

Download
memory/368-73-0x0000000000000000-mapping.dmp

Download
memory/368-78-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/436-127-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/436-113-0x0000000000000000-mapping.dmp

Download
memory/520-175-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/520-161-0x0000000000000000-mapping.dmp

Download
memory/540-281-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/540-265-0x0000000000000000-mapping.dmp

Download
memory/560-250-0x0000000000000000-mapping.dmp

Download
memory/632-310-0x0000000000000000-mapping.dmp

Download
memory/676-244-0x0000000000000000-mapping.dmp

Download
memory/676-258-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/764-304-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/764-296-0x0000000000000000-mapping.dmp

Download
memory/828-132-0x0000000000000000-mapping.dmp

Download
memory/828-142-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/860-195-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/860-190-0x0000000000000000-mapping.dmp

Download
memory/864-277-0x0000000000000000-mapping.dmp

Download
memory/912-157-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/912-143-0x0000000000000000-mapping.dmp

Download
memory/920-234-0x0000000000000000-mapping.dmp

Download
memory/932-311-0x0000000000000000-mapping.dmp

Download
memory/940-246-0x0000000000000000-mapping.dmp

Download
memory/972-275-0x0000000000000000-mapping.dmp

Download
memory/972-286-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1028-219-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1028-211-0x0000000000000000-mapping.dmp

Download
memory/1032-315-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1032-309-0x0000000000000000-mapping.dmp

Download
memory/1044-99-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1044-94-0x0000000000000000-mapping.dmp

Download
memory/1052-218-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1052-209-0x0000000000000000-mapping.dmp

Download
memory/1080-308-0x0000000000000000-mapping.dmp

Download
memory/1084-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1084-65-0x0000000000411000-mapping.dmp

Download
memory/1084-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1112-267-0x0000000000000000-mapping.dmp

Download
memory/1144-269-0x0000000000000000-mapping.dmp

Download
memory/1144-283-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1152-102-0x0000000000000000-mapping.dmp

Download
memory/1152-110-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1156-303-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1156-295-0x0000000000000000-mapping.dmp

Download
memory/1192-224-0x0000000000000000-mapping.dmp

Download
memory/1192-239-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1248-217-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1248-207-0x0000000000000000-mapping.dmp

Download
memory/1260-226-0x0000000000000000-mapping.dmp

Download
memory/1264-185-0x0000000000000000-mapping.dmp

Download
memory/1268-289-0x0000000000000000-mapping.dmp

Download
memory/1288-232-0x0000000000000000-mapping.dmp

Download
memory/1312-297-0x0000000000000000-mapping.dmp

Download
memory/1320-137-0x0000000000000000-mapping.dmp

Download
memory/1320-144-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1328-222-0x0000000000000000-mapping.dmp

Download
memory/1340-158-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1340-149-0x0000000000000000-mapping.dmp

Download
memory/1344-263-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1344-254-0x0000000000000000-mapping.dmp

Download
memory/1428-129-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1428-118-0x0000000000000000-mapping.dmp

Download
memory/1488-307-0x0000000000000000-mapping.dmp

Download
memory/1488-312-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1512-180-0x0000000000000000-mapping.dmp

Download
memory/1540-154-0x0000000000000000-mapping.dmp

Download
memory/1540-162-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1552-81-0x0000000000403670-mapping.dmp

Download
memory/1572-288-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1572-279-0x0000000000000000-mapping.dmp

Download
memory/1580-271-0x0000000000000000-mapping.dmp

Download
memory/1588-228-0x0000000000000000-mapping.dmp

Download
memory/1600-204-0x0000000000000000-mapping.dmp

Download
memory/1600-215-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1616-301-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1616-293-0x0000000000000000-mapping.dmp

Download
memory/1620-302-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1620-294-0x0000000000000000-mapping.dmp

Download
memory/1648-167-0x0000000000000000-mapping.dmp

Download
memory/1652-273-0x0000000000000000-mapping.dmp

Download
memory/1740-177-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1740-172-0x0000000000000000-mapping.dmp

Download
memory/1792-298-0x0000000000000000-mapping.dmp

Download
memory/1800-248-0x0000000000000000-mapping.dmp

Download
memory/1800-260-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1828-220-0x0000000000000000-mapping.dmp

Download
memory/1828-235-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1836-87-0x0000000000411000-mapping.dmp

Download
memory/1880-201-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1880-198-0x0000000000000000-mapping.dmp

Download
memory/1888-216-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1888-213-0x0000000000000000-mapping.dmp

Download
memory/1972-256-0x0000000000000000-mapping.dmp

Download
memory/2000-262-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2000-252-0x0000000000000000-mapping.dmp

Download
memory/2004-291-0x0000000000000000-mapping.dmp

Download
memory/2004-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2004-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/2012-123-0x0000000000000000-mapping.dmp

Download
memory/2012-128-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2024-230-0x0000000000000000-mapping.dmp

Download
memory/2024-242-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads