warzonerat | f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191

Analysis

max time kernel
149s
max time network
126s
platform
windows10_x64
resource
win10v20210410
submitted
04-05-2021 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
Size

1.8MB
MD5

c5b5e7134d28f77190b35cd98c2779ba
SHA1

df6538b2f1527afe8ff473387de959543ba02253
SHA256

f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191
SHA512

5a6e3dc41a15b658ed849d8ab18ae07b0d650f5263485ce78ae46bc1f81ef893c54bb4da4cf451e7d189e9881de240722e29cff19144e6ac7d6d7cdb6fe418c0

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1016	explorer.exe
3292	explorer.exe
200	spoolsv.exe
2400	spoolsv.exe
1912	spoolsv.exe
1612	spoolsv.exe
3792	spoolsv.exe
3348	spoolsv.exe
2736	spoolsv.exe
3624	spoolsv.exe
480	spoolsv.exe
3832	spoolsv.exe
2152	spoolsv.exe
1428	spoolsv.exe
3032	spoolsv.exe
3060	spoolsv.exe
1200	spoolsv.exe
1204	spoolsv.exe
2240	spoolsv.exe
3900	spoolsv.exe
1400	spoolsv.exe
3964	spoolsv.exe
3428	spoolsv.exe
3928	spoolsv.exe
4080	spoolsv.exe
3580	spoolsv.exe
3244	spoolsv.exe
1300	spoolsv.exe
1924	spoolsv.exe
3740	spoolsv.exe
4036	spoolsv.exe
2272	spoolsv.exe
908	spoolsv.exe
3384	spoolsv.exe
1968	spoolsv.exe
2496	spoolsv.exe
1436	spoolsv.exe
3836	spoolsv.exe
196	spoolsv.exe
1160	spoolsv.exe
3612	spoolsv.exe
3196	spoolsv.exe
3352	spoolsv.exe
2176	spoolsv.exe
3772	spoolsv.exe
4104	spoolsv.exe
4132	spoolsv.exe
4156	spoolsv.exe
4192	spoolsv.exe
4216	spoolsv.exe
4240	spoolsv.exe
4264	spoolsv.exe
4304	spoolsv.exe
4328	spoolsv.exe
4352	spoolsv.exe
4376	spoolsv.exe
4416	spoolsv.exe
4440	spoolsv.exe
4464	spoolsv.exe
4500	spoolsv.exe
4524	spoolsv.exe
4544	spoolsv.exe
4560	spoolsv.exe
4580	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exef55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1736 set thread context of 4084	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1736 set thread context of 3920	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	diskperf.exe
PID 1016 set thread context of 3292	1016	explorer.exe	explorer.exe
PID 1016 set thread context of 2336	1016	explorer.exe	diskperf.exe
PID 200 set thread context of 6744	200	spoolsv.exe	spoolsv.exe
PID 200 set thread context of 6760	200	spoolsv.exe	diskperf.exe
PID 2400 set thread context of 6852	2400	spoolsv.exe	spoolsv.exe
PID 1912 set thread context of 6892	1912	spoolsv.exe	spoolsv.exe
PID 1912 set thread context of 6920	1912	spoolsv.exe	diskperf.exe
PID 1612 set thread context of 6960	1612	spoolsv.exe	spoolsv.exe
PID 1612 set thread context of 6976	1612	spoolsv.exe	diskperf.exe
PID 3792 set thread context of 7044	3792	spoolsv.exe	spoolsv.exe
PID 3348 set thread context of 7080	3348	spoolsv.exe	spoolsv.exe
PID 3348 set thread context of 7116	3348	spoolsv.exe	diskperf.exe
PID 2736 set thread context of 3064	2736	spoolsv.exe	spoolsv.exe
PID 3624 set thread context of 2124	3624	spoolsv.exe	spoolsv.exe
PID 3624 set thread context of 6820	3624	spoolsv.exe	diskperf.exe
PID 480 set thread context of 4172	480	spoolsv.exe	spoolsv.exe
PID 480 set thread context of 6856	480	spoolsv.exe	diskperf.exe
PID 3832 set thread context of 6872	3832	spoolsv.exe	spoolsv.exe
PID 3832 set thread context of 2052	3832	spoolsv.exe	diskperf.exe
PID 2152 set thread context of 6988	2152	spoolsv.exe	spoolsv.exe
PID 2152 set thread context of 6996	2152	spoolsv.exe	diskperf.exe
PID 1428 set thread context of 6972	1428	spoolsv.exe	spoolsv.exe
PID 1428 set thread context of 7064	1428	spoolsv.exe	diskperf.exe
PID 3032 set thread context of 7088	3032	spoolsv.exe	spoolsv.exe
PID 3032 set thread context of 3856	3032	spoolsv.exe	diskperf.exe
PID 3060 set thread context of 7140	3060	spoolsv.exe	spoolsv.exe
PID 3060 set thread context of 7072	3060	spoolsv.exe	diskperf.exe
PID 1200 set thread context of 2060	1200	spoolsv.exe	spoolsv.exe
PID 1204 set thread context of 3700	1204	spoolsv.exe	spoolsv.exe
PID 1204 set thread context of 6880	1204	spoolsv.exe	diskperf.exe
PID 2240 set thread context of 724	2240	spoolsv.exe	spoolsv.exe
PID 2240 set thread context of 3336	2240	spoolsv.exe	diskperf.exe
PID 3900 set thread context of 2156	3900	spoolsv.exe	spoolsv.exe
PID 3900 set thread context of 6992	3900	spoolsv.exe	diskperf.exe
PID 1400 set thread context of 4456	1400	spoolsv.exe	spoolsv.exe
PID 1400 set thread context of 1544	1400	spoolsv.exe	diskperf.exe
PID 3964 set thread context of 7140	3964	spoolsv.exe	spoolsv.exe
PID 3964 set thread context of 4480	3964	spoolsv.exe	diskperf.exe
PID 3428 set thread context of 6860	3428	spoolsv.exe	spoolsv.exe
PID 3928 set thread context of 2940	3928	spoolsv.exe	spoolsv.exe
PID 3928 set thread context of 204	3928	spoolsv.exe	diskperf.exe
PID 4080 set thread context of 2228	4080	spoolsv.exe	spoolsv.exe
PID 3580 set thread context of 2156	3580	spoolsv.exe	spoolsv.exe
PID 3580 set thread context of 4432	3580	spoolsv.exe	diskperf.exe
PID 3244 set thread context of 4588	3244	spoolsv.exe	spoolsv.exe
PID 3244 set thread context of 4604	3244	spoolsv.exe	diskperf.exe
PID 1300 set thread context of 4456	1300	spoolsv.exe	spoolsv.exe
PID 1300 set thread context of 4640	1300	spoolsv.exe	diskperf.exe
PID 1924 set thread context of 4676	1924	spoolsv.exe	spoolsv.exe
PID 1924 set thread context of 400	1924	spoolsv.exe	diskperf.exe
PID 3740 set thread context of 4704	3740	spoolsv.exe	spoolsv.exe
PID 3740 set thread context of 3940	3740	spoolsv.exe	diskperf.exe
PID 4036 set thread context of 1816	4036	spoolsv.exe	spoolsv.exe
PID 4036 set thread context of 4752	4036	spoolsv.exe	diskperf.exe
PID 2272 set thread context of 2632	2272	spoolsv.exe	spoolsv.exe
PID 2272 set thread context of 580	2272	spoolsv.exe	diskperf.exe
PID 908 set thread context of 4624	908	spoolsv.exe	spoolsv.exe
PID 908 set thread context of 4588	908	spoolsv.exe	diskperf.exe
PID 3384 set thread context of 1124	3384	spoolsv.exe	spoolsv.exe
PID 3384 set thread context of 428	3384	spoolsv.exe	diskperf.exe
PID 1968 set thread context of 4676	1968	spoolsv.exe	spoolsv.exe
PID 1968 set thread context of 2708	1968	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exef55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exeexplorer.exe

pid	process
4084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
4084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3292 explorer.exe

pid	process
3292	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
4084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
4084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
3292	explorer.exe
6744	spoolsv.exe
6744	spoolsv.exe
6852	spoolsv.exe
6852	spoolsv.exe
6892	spoolsv.exe
6892	spoolsv.exe
6960	spoolsv.exe
6960	spoolsv.exe
7044	spoolsv.exe
7044	spoolsv.exe
7080	spoolsv.exe
7080	spoolsv.exe
3064	spoolsv.exe
3064	spoolsv.exe
2124	spoolsv.exe
2124	spoolsv.exe
4172	spoolsv.exe
4172	spoolsv.exe
6872	spoolsv.exe
6872	spoolsv.exe
6988	spoolsv.exe
6988	spoolsv.exe
6972	spoolsv.exe
6972	spoolsv.exe
7088	spoolsv.exe
7088	spoolsv.exe
7140	spoolsv.exe
7140	spoolsv.exe
2060	spoolsv.exe
2060	spoolsv.exe
3700	spoolsv.exe
3700	spoolsv.exe
724	spoolsv.exe
724	spoolsv.exe
2156	spoolsv.exe
2156	spoolsv.exe
4456	spoolsv.exe
4456	spoolsv.exe
7140	spoolsv.exe
7140	spoolsv.exe
6860	spoolsv.exe
6860	spoolsv.exe
2940	spoolsv.exe
2940	spoolsv.exe
2228	spoolsv.exe
2228	spoolsv.exe
2156	spoolsv.exe
2156	spoolsv.exe
4588	spoolsv.exe
4588	spoolsv.exe
4456	spoolsv.exe
4456	spoolsv.exe
4676	spoolsv.exe
4676	spoolsv.exe
4704	spoolsv.exe
4704	spoolsv.exe
1816	spoolsv.exe
1816	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exef55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1736 wrote to memory of 4084	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1736 wrote to memory of 4084	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1736 wrote to memory of 4084	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1736 wrote to memory of 4084	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1736 wrote to memory of 4084	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1736 wrote to memory of 4084	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1736 wrote to memory of 4084	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1736 wrote to memory of 4084	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1736 wrote to memory of 3920	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	diskperf.exe
PID 1736 wrote to memory of 3920	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	diskperf.exe
PID 1736 wrote to memory of 3920	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	diskperf.exe
PID 1736 wrote to memory of 3920	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	diskperf.exe
PID 1736 wrote to memory of 3920	1736	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	diskperf.exe
PID 4084 wrote to memory of 1016	4084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	explorer.exe
PID 4084 wrote to memory of 1016	4084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	explorer.exe
PID 4084 wrote to memory of 1016	4084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	explorer.exe
PID 1016 wrote to memory of 3292	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 3292	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 3292	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 3292	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 3292	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 3292	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 3292	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 3292	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 2336	1016	explorer.exe	diskperf.exe
PID 1016 wrote to memory of 2336	1016	explorer.exe	diskperf.exe
PID 1016 wrote to memory of 2336	1016	explorer.exe	diskperf.exe
PID 1016 wrote to memory of 2336	1016	explorer.exe	diskperf.exe
PID 1016 wrote to memory of 2336	1016	explorer.exe	diskperf.exe
PID 3292 wrote to memory of 200	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 200	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 200	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 2400	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 2400	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 2400	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 1912	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 1912	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 1912	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 1612	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 1612	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 1612	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 3792	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 3792	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 3792	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 3348	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 3348	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 3348	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 2736	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 2736	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 2736	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 3624	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 3624	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 3624	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 480	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 480	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 480	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 3832	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 3832	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 3832	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 2152	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 2152	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 2152	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 1428	3292	explorer.exe	spoolsv.exe
PID 3292 wrote to memory of 1428	3292	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
"C:\Users\Admin\AppData\Local\Temp\f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
"C:\Users\Admin\AppData\Local\Temp\f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1016

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6744

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6844

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6892

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6960

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7044

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7080

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3064

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6796

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2124

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4172

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6872

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6988

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6964

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1428

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7088

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2724

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7140

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2060

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3700

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6900

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:724

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2156

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4456

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7144

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7140

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2796

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6860

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2940

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2220

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2228

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:348

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2156

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4588

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4060

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4456

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4660

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4676

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4692

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4704

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4552

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1816

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2268

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2632

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4624

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4836

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1124

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3968

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4676

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4924

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4956

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1816

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4816

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3444

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3608

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4884

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2172

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1624

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1208

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4292

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:644

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4364

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:192

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4688

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1952

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5096

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:188

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4968

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5160

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:808

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4136

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2212

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4196

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5256

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5276

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5292

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5304

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4268

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5336

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5352

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4320

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5276

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5228

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5424

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4148

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4212

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5472

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5304

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5420

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5536

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4544

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:2336

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:3920

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:5572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
c5b5e7134d28f77190b35cd98c2779ba

SHA1
df6538b2f1527afe8ff473387de959543ba02253

SHA256
f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191

SHA512
5a6e3dc41a15b658ed849d8ab18ae07b0d650f5263485ce78ae46bc1f81ef893c54bb4da4cf451e7d189e9881de240722e29cff19144e6ac7d6d7cdb6fe418c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
6737167682798c1997aecd4001efd9ed

SHA1
cd7801dd081b0c303732aa03eaaec9e7272be679

SHA256
4c9198a604dd40c97a6098339a3eeb0e58ba98d4e7cc17df482f0de23484ad0f

SHA512
83fd33088036082973771078b398b5d4c89bfa5e28d9e02ea24c022f9bdc4b3804bdcb07577cdbb8f4394de0229d96d905abd9ff7aad74a068c388ac9597ac1f

Download Submit
C:\Windows\System\explorer.exe
MD5
6737167682798c1997aecd4001efd9ed

SHA1
cd7801dd081b0c303732aa03eaaec9e7272be679

SHA256
4c9198a604dd40c97a6098339a3eeb0e58ba98d4e7cc17df482f0de23484ad0f

SHA512
83fd33088036082973771078b398b5d4c89bfa5e28d9e02ea24c022f9bdc4b3804bdcb07577cdbb8f4394de0229d96d905abd9ff7aad74a068c388ac9597ac1f

Download Submit
C:\Windows\System\explorer.exe
MD5
6737167682798c1997aecd4001efd9ed

SHA1
cd7801dd081b0c303732aa03eaaec9e7272be679

SHA256
4c9198a604dd40c97a6098339a3eeb0e58ba98d4e7cc17df482f0de23484ad0f

SHA512
83fd33088036082973771078b398b5d4c89bfa5e28d9e02ea24c022f9bdc4b3804bdcb07577cdbb8f4394de0229d96d905abd9ff7aad74a068c388ac9597ac1f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
C:\Windows\System\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
\??\c:\windows\system\explorer.exe
MD5
6737167682798c1997aecd4001efd9ed

SHA1
cd7801dd081b0c303732aa03eaaec9e7272be679

SHA256
4c9198a604dd40c97a6098339a3eeb0e58ba98d4e7cc17df482f0de23484ad0f

SHA512
83fd33088036082973771078b398b5d4c89bfa5e28d9e02ea24c022f9bdc4b3804bdcb07577cdbb8f4394de0229d96d905abd9ff7aad74a068c388ac9597ac1f

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
feab6acd5219304cb8efdfdf9f03549f

SHA1
7367dd4b4f9ee04b0dd5e6e8bca3c2bf978b4921

SHA256
ac362724b2601549cc554f65f9afecb92981c51c92e06eb73dd73204b8190cad

SHA512
848c5bf3fcd0e744bae6184f97c64fe68811192e9774c594169bb187daa4f4ff32777b83327b19274b7c8dba0e8acc2c790f998599502b4e74f2859c364676cd

Download Submit
memory/196-252-0x0000000000000000-mapping.dmp

Download
memory/196-257-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/200-151-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/200-144-0x0000000000000000-mapping.dmp

Download
memory/480-174-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/480-167-0x0000000000000000-mapping.dmp

Download
memory/908-237-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/908-233-0x0000000000000000-mapping.dmp

Download
memory/1016-129-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1016-126-0x0000000000000000-mapping.dmp

Download
memory/1160-254-0x0000000000000000-mapping.dmp

Download
memory/1160-259-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1200-187-0x0000000000000000-mapping.dmp

Download
memory/1204-196-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/1204-189-0x0000000000000000-mapping.dmp

Download
memory/1300-220-0x0000000000000000-mapping.dmp

Download
memory/1300-226-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1400-205-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1400-199-0x0000000000000000-mapping.dmp

Download
memory/1428-185-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1428-177-0x0000000000000000-mapping.dmp

Download
memory/1436-244-0x0000000000000000-mapping.dmp

Download
memory/1436-247-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1612-154-0x0000000000000000-mapping.dmp

Download
memory/1612-160-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1736-114-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/1912-149-0x0000000000000000-mapping.dmp

Download
memory/1912-152-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1924-222-0x0000000000000000-mapping.dmp

Download
memory/1924-227-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1968-248-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1968-240-0x0000000000000000-mapping.dmp

Download
memory/2152-175-0x0000000000000000-mapping.dmp

Download
memory/2152-183-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2176-272-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/2176-266-0x0000000000000000-mapping.dmp

Download
memory/2240-191-0x0000000000000000-mapping.dmp

Download
memory/2240-197-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2272-231-0x0000000000000000-mapping.dmp

Download
memory/2272-236-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2336-136-0x0000000000411000-mapping.dmp

Download
memory/2400-153-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/2400-147-0x0000000000000000-mapping.dmp

Download
memory/2496-249-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2496-242-0x0000000000000000-mapping.dmp

Download
memory/2736-163-0x0000000000000000-mapping.dmp

Download
memory/2736-171-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3032-179-0x0000000000000000-mapping.dmp

Download
memory/3032-186-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3060-181-0x0000000000000000-mapping.dmp

Download
memory/3196-262-0x0000000000000000-mapping.dmp

Download
memory/3244-214-0x0000000000000000-mapping.dmp

Download
memory/3244-217-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3292-131-0x0000000000403670-mapping.dmp

Download
memory/3348-161-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3348-158-0x0000000000000000-mapping.dmp

Download
memory/3352-271-0x0000000000660000-0x00000000007AA000-memory.dmp

Filesize
1.3MB

Download
memory/3352-264-0x0000000000000000-mapping.dmp

Download
memory/3384-246-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3384-238-0x0000000000000000-mapping.dmp

Download
memory/3428-203-0x0000000000000000-mapping.dmp

Download
memory/3428-207-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/3580-219-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/3580-212-0x0000000000000000-mapping.dmp

Download
memory/3612-258-0x0000000000000000-mapping.dmp

Download
memory/3612-261-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3624-165-0x0000000000000000-mapping.dmp

Download
memory/3624-172-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/3740-228-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/3740-224-0x0000000000000000-mapping.dmp

Download
memory/3772-274-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/3772-268-0x0000000000000000-mapping.dmp

Download
memory/3792-156-0x0000000000000000-mapping.dmp

Download
memory/3832-173-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3832-169-0x0000000000000000-mapping.dmp

Download
memory/3836-256-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/3836-250-0x0000000000000000-mapping.dmp

Download
memory/3900-198-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3900-193-0x0000000000000000-mapping.dmp

Download
memory/3920-118-0x0000000000411000-mapping.dmp

Download
memory/3920-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3920-124-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3928-216-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3928-208-0x0000000000000000-mapping.dmp

Download
memory/3964-201-0x0000000000000000-mapping.dmp

Download
memory/3964-206-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4036-229-0x0000000000000000-mapping.dmp

Download
memory/4080-210-0x0000000000000000-mapping.dmp

Download
memory/4080-218-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4084-116-0x0000000000403670-mapping.dmp

Download
memory/4084-122-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4084-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4104-273-0x0000000000000000-mapping.dmp

Download
memory/4104-280-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4132-276-0x0000000000000000-mapping.dmp

Download
memory/4132-281-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4156-278-0x0000000000000000-mapping.dmp

Download
memory/4156-282-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/4192-291-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4192-283-0x0000000000000000-mapping.dmp

Download
memory/4216-285-0x0000000000000000-mapping.dmp

Download
memory/4216-293-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/4240-287-0x0000000000000000-mapping.dmp

Download
memory/4240-294-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4264-289-0x0000000000000000-mapping.dmp

Download
memory/4264-292-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4304-295-0x0000000000000000-mapping.dmp

Download
memory/4304-303-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4328-305-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4328-297-0x0000000000000000-mapping.dmp

Download
memory/4352-299-0x0000000000000000-mapping.dmp

Download
memory/4352-306-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4376-301-0x0000000000000000-mapping.dmp

Download
memory/4376-304-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4416-307-0x0000000000000000-mapping.dmp

Download
memory/4416-313-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4440-315-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/4440-309-0x0000000000000000-mapping.dmp

Download
memory/4464-311-0x0000000000000000-mapping.dmp

Download
memory/4464-314-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4500-316-0x0000000000000000-mapping.dmp

Download
memory/4500-319-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4524-318-0x0000000000000000-mapping.dmp

Download