warzonerat | 3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60

Analysis

max time kernel
152s
max time network
150s
platform
windows7_x64
resource
win7v20210408
submitted
04-05-2021 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
Size

1.8MB
MD5

fc297900e07d910893b63adbe917ef3f
SHA1

d15657071067de4885e8d38d5b259f8b6da9ba04
SHA256

3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60
SHA512

74645a91a234a21b1c1737d9e9852028424d5ea9e8a0e0f545f9f995cf716eba23652db8058dc65e80ef7859348e06f015572537dc6277faf0ea4e3d0588dccc

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1392	explorer.exe
576	explorer.exe
1536	spoolsv.exe
1068	spoolsv.exe
1800	spoolsv.exe
1596	spoolsv.exe
548	spoolsv.exe
1996	spoolsv.exe
1784	spoolsv.exe
1428	spoolsv.exe
2044	spoolsv.exe
1248	spoolsv.exe
2012	spoolsv.exe
1704	spoolsv.exe
384	spoolsv.exe
1628	spoolsv.exe
1560	spoolsv.exe
1760	spoolsv.exe
536	spoolsv.exe
568	spoolsv.exe
860	spoolsv.exe
1592	spoolsv.exe
1144	spoolsv.exe
456	spoolsv.exe
920	spoolsv.exe
1976	spoolsv.exe
1844	spoolsv.exe
1420	spoolsv.exe
888	spoolsv.exe
952	spoolsv.exe
1856	spoolsv.exe
1404	spoolsv.exe
1900	spoolsv.exe
1724	spoolsv.exe
1572	spoolsv.exe
1452	spoolsv.exe
1504	spoolsv.exe
1956	spoolsv.exe
2036	spoolsv.exe
1964	spoolsv.exe
1004	spoolsv.exe
1132	spoolsv.exe
964	spoolsv.exe
928	spoolsv.exe
1764	spoolsv.exe
1576	spoolsv.exe
1980	spoolsv.exe
1228	spoolsv.exe
1984	spoolsv.exe
1556	spoolsv.exe
1728	spoolsv.exe
1680	spoolsv.exe
1520	spoolsv.exe
1836	spoolsv.exe
1444	spoolsv.exe
1216	spoolsv.exe
1376	spoolsv.exe
1736	spoolsv.exe
1696	spoolsv.exe
2040	spoolsv.exe
1584	spoolsv.exe
1664	spoolsv.exe
1636	spoolsv.exe
856	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exeexplorer.exe

pid	process
1520	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
1520	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe

Adds Run key to start application 2 TTPs 57 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1660 set thread context of 1520	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
PID 1660 set thread context of 1676	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	diskperf.exe
PID 1392 set thread context of 576	1392	explorer.exe	explorer.exe
PID 1392 set thread context of 752	1392	explorer.exe	diskperf.exe
PID 1536 set thread context of 3300	1536	spoolsv.exe	spoolsv.exe
PID 1536 set thread context of 3308	1536	spoolsv.exe	diskperf.exe
PID 1068 set thread context of 3356	1068	spoolsv.exe	spoolsv.exe
PID 1068 set thread context of 3364	1068	spoolsv.exe	diskperf.exe
PID 1800 set thread context of 3392	1800	spoolsv.exe	spoolsv.exe
PID 1800 set thread context of 3400	1800	spoolsv.exe	diskperf.exe
PID 1596 set thread context of 3428	1596	spoolsv.exe	spoolsv.exe
PID 1596 set thread context of 3436	1596	spoolsv.exe	diskperf.exe
PID 548 set thread context of 3456	548	spoolsv.exe	spoolsv.exe
PID 548 set thread context of 3464	548	spoolsv.exe	diskperf.exe
PID 1996 set thread context of 3476	1996	spoolsv.exe	spoolsv.exe
PID 1996 set thread context of 3484	1996	spoolsv.exe	diskperf.exe
PID 1784 set thread context of 3512	1784	spoolsv.exe	spoolsv.exe
PID 1784 set thread context of 3520	1784	spoolsv.exe	diskperf.exe
PID 1428 set thread context of 3548	1428	spoolsv.exe	spoolsv.exe
PID 1428 set thread context of 3556	1428	spoolsv.exe	diskperf.exe
PID 2044 set thread context of 3584	2044	spoolsv.exe	spoolsv.exe
PID 2044 set thread context of 3592	2044	spoolsv.exe	diskperf.exe
PID 1248 set thread context of 3620	1248	spoolsv.exe	spoolsv.exe
PID 1248 set thread context of 3628	1248	spoolsv.exe	diskperf.exe
PID 2012 set thread context of 3656	2012	spoolsv.exe	spoolsv.exe
PID 2012 set thread context of 3664	2012	spoolsv.exe	diskperf.exe
PID 1704 set thread context of 3692	1704	spoolsv.exe	spoolsv.exe
PID 1704 set thread context of 3700	1704	spoolsv.exe	diskperf.exe
PID 384 set thread context of 3728	384	spoolsv.exe	spoolsv.exe
PID 384 set thread context of 3736	384	spoolsv.exe	diskperf.exe
PID 1628 set thread context of 3760	1628	spoolsv.exe	spoolsv.exe
PID 1628 set thread context of 3768	1628	spoolsv.exe	diskperf.exe
PID 1560 set thread context of 3800	1560	spoolsv.exe	spoolsv.exe
PID 1560 set thread context of 3808	1560	spoolsv.exe	diskperf.exe
PID 1760 set thread context of 3832	1760	spoolsv.exe	spoolsv.exe
PID 1760 set thread context of 3840	1760	spoolsv.exe	diskperf.exe
PID 536 set thread context of 3868	536	spoolsv.exe	spoolsv.exe
PID 536 set thread context of 3876	536	spoolsv.exe	diskperf.exe
PID 568 set thread context of 3904	568	spoolsv.exe	spoolsv.exe
PID 568 set thread context of 3912	568	spoolsv.exe	diskperf.exe
PID 860 set thread context of 3936	860	spoolsv.exe	spoolsv.exe
PID 860 set thread context of 3944	860	spoolsv.exe	diskperf.exe
PID 1592 set thread context of 3972	1592	spoolsv.exe	spoolsv.exe
PID 1592 set thread context of 3980	1592	spoolsv.exe	diskperf.exe
PID 456 set thread context of 4008	456	spoolsv.exe	spoolsv.exe
PID 1144 set thread context of 4000	1144	spoolsv.exe	spoolsv.exe
PID 456 set thread context of 4016	456	spoolsv.exe	diskperf.exe
PID 1144 set thread context of 4036	1144	spoolsv.exe	diskperf.exe
PID 920 set thread context of 4044	920	spoolsv.exe	spoolsv.exe
PID 1976 set thread context of 4052	1976	spoolsv.exe	spoolsv.exe
PID 920 set thread context of 4060	920	spoolsv.exe	diskperf.exe
PID 1976 set thread context of 4068	1976	spoolsv.exe	diskperf.exe
PID 1844 set thread context of 4076	1844	spoolsv.exe	spoolsv.exe
PID 1420 set thread context of 4084	1420	spoolsv.exe	spoolsv.exe
PID 1844 set thread context of 4092	1844	spoolsv.exe	diskperf.exe
PID 1420 set thread context of 544	1420	spoolsv.exe	diskperf.exe
PID 952 set thread context of 108	952	spoolsv.exe	spoolsv.exe
PID 888 set thread context of 3320	888	spoolsv.exe	spoolsv.exe
PID 1856 set thread context of 3360	1856	spoolsv.exe	spoolsv.exe
PID 1856 set thread context of 892	1856	spoolsv.exe	diskperf.exe
PID 1404 set thread context of 3444	1404	spoolsv.exe	spoolsv.exe
PID 952 set thread context of 3396	952	spoolsv.exe	diskperf.exe
PID 888 set thread context of 3408	888	spoolsv.exe	diskperf.exe
PID 1404 set thread context of 3460	1404	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exeexplorer.exe

pid	process
1520	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

576 explorer.exe

pid	process
576	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1520	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
1520	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
576	explorer.exe
3300	spoolsv.exe
3300	spoolsv.exe
3356	spoolsv.exe
3356	spoolsv.exe
3392	spoolsv.exe
3392	spoolsv.exe
3428	spoolsv.exe
3428	spoolsv.exe
3456	spoolsv.exe
3456	spoolsv.exe
3476	spoolsv.exe
3476	spoolsv.exe
3512	spoolsv.exe
3512	spoolsv.exe
3548	spoolsv.exe
3548	spoolsv.exe
3584	spoolsv.exe
3584	spoolsv.exe
3620	spoolsv.exe
3620	spoolsv.exe
3656	spoolsv.exe
3656	spoolsv.exe
3692	spoolsv.exe
3692	spoolsv.exe
3728	spoolsv.exe
3728	spoolsv.exe
3760	spoolsv.exe
3760	spoolsv.exe
3800	spoolsv.exe
3800	spoolsv.exe
3832	spoolsv.exe
3832	spoolsv.exe
3868	spoolsv.exe
3868	spoolsv.exe
3904	spoolsv.exe
3904	spoolsv.exe
3936	spoolsv.exe
3936	spoolsv.exe
3972	spoolsv.exe
3972	spoolsv.exe
4008	spoolsv.exe
4008	spoolsv.exe
4000	spoolsv.exe
4000	spoolsv.exe
4044	spoolsv.exe
4052	spoolsv.exe
4052	spoolsv.exe
4076	spoolsv.exe
3360	spoolsv.exe
3320	spoolsv.exe
4044	spoolsv.exe
3444	spoolsv.exe
3360	spoolsv.exe
3320	spoolsv.exe
4076	spoolsv.exe
3444	spoolsv.exe
4084	spoolsv.exe
300	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1660 wrote to memory of 1520	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
PID 1660 wrote to memory of 1520	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
PID 1660 wrote to memory of 1520	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
PID 1660 wrote to memory of 1520	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
PID 1660 wrote to memory of 1520	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
PID 1660 wrote to memory of 1520	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
PID 1660 wrote to memory of 1520	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
PID 1660 wrote to memory of 1520	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
PID 1660 wrote to memory of 1520	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
PID 1660 wrote to memory of 1676	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	diskperf.exe
PID 1660 wrote to memory of 1676	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	diskperf.exe
PID 1660 wrote to memory of 1676	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	diskperf.exe
PID 1660 wrote to memory of 1676	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	diskperf.exe
PID 1660 wrote to memory of 1676	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	diskperf.exe
PID 1660 wrote to memory of 1676	1660	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	diskperf.exe
PID 1520 wrote to memory of 1392	1520	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	explorer.exe
PID 1520 wrote to memory of 1392	1520	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	explorer.exe
PID 1520 wrote to memory of 1392	1520	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	explorer.exe
PID 1520 wrote to memory of 1392	1520	3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe	explorer.exe
PID 1392 wrote to memory of 576	1392	explorer.exe	explorer.exe
PID 1392 wrote to memory of 576	1392	explorer.exe	explorer.exe
PID 1392 wrote to memory of 576	1392	explorer.exe	explorer.exe
PID 1392 wrote to memory of 576	1392	explorer.exe	explorer.exe
PID 1392 wrote to memory of 576	1392	explorer.exe	explorer.exe
PID 1392 wrote to memory of 576	1392	explorer.exe	explorer.exe
PID 1392 wrote to memory of 576	1392	explorer.exe	explorer.exe
PID 1392 wrote to memory of 576	1392	explorer.exe	explorer.exe
PID 1392 wrote to memory of 576	1392	explorer.exe	explorer.exe
PID 1392 wrote to memory of 752	1392	explorer.exe	diskperf.exe
PID 1392 wrote to memory of 752	1392	explorer.exe	diskperf.exe
PID 1392 wrote to memory of 752	1392	explorer.exe	diskperf.exe
PID 1392 wrote to memory of 752	1392	explorer.exe	diskperf.exe
PID 1392 wrote to memory of 752	1392	explorer.exe	diskperf.exe
PID 1392 wrote to memory of 752	1392	explorer.exe	diskperf.exe
PID 576 wrote to memory of 1536	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1536	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1536	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1536	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1068	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1068	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1068	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1068	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1800	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1800	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1800	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1800	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1596	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1596	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1596	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1596	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 548	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 548	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 548	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 548	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1996	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1996	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1996	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1996	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1784	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1784	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1784	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1784	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1428	576	explorer.exe	spoolsv.exe
PID 576 wrote to memory of 1428	576	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
"C:\Users\Admin\AppData\Local\Temp\3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe
"C:\Users\Admin\AppData\Local\Temp\3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1392

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3300

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3348

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3356

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3392

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3412

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3428

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3448

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3456

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3476

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3496

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3512

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3532

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3548

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3576

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3584

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3620

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3648

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3656

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3676

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3692

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3720

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3728

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3760

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3780

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3800

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3832

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3868

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3904

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3928

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3936

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3956

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3972

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3992

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4008

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4028

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4052

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3320

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:108

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3360

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:300

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3544

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3540

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3480

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1072

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3716

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3688

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3732

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1492

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3864

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3924

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3832

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4012

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4056

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1220

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3472

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3940

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4008

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1120

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3504

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3636

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1112

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1744

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:896

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1960

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1584

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3340

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:752

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1676

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
fc297900e07d910893b63adbe917ef3f

SHA1
d15657071067de4885e8d38d5b259f8b6da9ba04

SHA256
3f1b5e5d56db51d8fce87a0dcffb71aba5f04698f97ec274bbb87ec933310f60

SHA512
74645a91a234a21b1c1737d9e9852028424d5ea9e8a0e0f545f9f995cf716eba23652db8058dc65e80ef7859348e06f015572537dc6277faf0ea4e3d0588dccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
94c63124ad85800c8f8181bb98b371b9

SHA1
4301e23518337d499a88e874bf0d43a15d5bce9d

SHA256
5382e046cf562aef367d532e8dad0fd3ccd93605fcf11096135064a34b1eb6dc

SHA512
5fccc977809ea0fedde146543698f575e0707bb6ead99faf7179748f7a57b7d9af64dbc74983a1804a4358d66cfb36864dc12c29404ada6f8a9698868cd3c9f6

Download Submit
C:\Windows\system\explorer.exe
MD5
94c63124ad85800c8f8181bb98b371b9

SHA1
4301e23518337d499a88e874bf0d43a15d5bce9d

SHA256
5382e046cf562aef367d532e8dad0fd3ccd93605fcf11096135064a34b1eb6dc

SHA512
5fccc977809ea0fedde146543698f575e0707bb6ead99faf7179748f7a57b7d9af64dbc74983a1804a4358d66cfb36864dc12c29404ada6f8a9698868cd3c9f6

Download Submit
C:\Windows\system\explorer.exe
MD5
94c63124ad85800c8f8181bb98b371b9

SHA1
4301e23518337d499a88e874bf0d43a15d5bce9d

SHA256
5382e046cf562aef367d532e8dad0fd3ccd93605fcf11096135064a34b1eb6dc

SHA512
5fccc977809ea0fedde146543698f575e0707bb6ead99faf7179748f7a57b7d9af64dbc74983a1804a4358d66cfb36864dc12c29404ada6f8a9698868cd3c9f6

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
C:\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\??\c:\windows\system\explorer.exe
MD5
94c63124ad85800c8f8181bb98b371b9

SHA1
4301e23518337d499a88e874bf0d43a15d5bce9d

SHA256
5382e046cf562aef367d532e8dad0fd3ccd93605fcf11096135064a34b1eb6dc

SHA512
5fccc977809ea0fedde146543698f575e0707bb6ead99faf7179748f7a57b7d9af64dbc74983a1804a4358d66cfb36864dc12c29404ada6f8a9698868cd3c9f6

Download Submit
\Windows\system\explorer.exe
MD5
94c63124ad85800c8f8181bb98b371b9

SHA1
4301e23518337d499a88e874bf0d43a15d5bce9d

SHA256
5382e046cf562aef367d532e8dad0fd3ccd93605fcf11096135064a34b1eb6dc

SHA512
5fccc977809ea0fedde146543698f575e0707bb6ead99faf7179748f7a57b7d9af64dbc74983a1804a4358d66cfb36864dc12c29404ada6f8a9698868cd3c9f6

Download Submit
\Windows\system\explorer.exe
MD5
94c63124ad85800c8f8181bb98b371b9

SHA1
4301e23518337d499a88e874bf0d43a15d5bce9d

SHA256
5382e046cf562aef367d532e8dad0fd3ccd93605fcf11096135064a34b1eb6dc

SHA512
5fccc977809ea0fedde146543698f575e0707bb6ead99faf7179748f7a57b7d9af64dbc74983a1804a4358d66cfb36864dc12c29404ada6f8a9698868cd3c9f6

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
\Windows\system\spoolsv.exe
MD5
f48df108f9a0ebc0618df5a86ff5afd5

SHA1
502466df29aab9af06a3f8aa9a518ba871dae4ee

SHA256
e4986a3be4d66546e0007b3b8853e4773e428818d088fbd7d203a99b64b13aee

SHA512
fe1bfd2ec0db791b72642a0b4bf67b53dc7d83feb3d2aff4596cf842e2ffffc3d959eaf2627af6b90d1600754f6439b95bd83aa0b51b13ba9f57d6aa247440ff

Download Submit
memory/384-179-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/384-167-0x0000000000000000-mapping.dmp

Download
memory/456-212-0x0000000000000000-mapping.dmp

Download
memory/456-222-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/536-192-0x0000000000000000-mapping.dmp

Download
memory/536-205-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/548-120-0x0000000000000000-mapping.dmp

Download
memory/548-128-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/568-207-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/568-197-0x0000000000000000-mapping.dmp

Download
memory/576-81-0x0000000000403670-mapping.dmp

Download
memory/752-88-0x0000000000411000-mapping.dmp

Download
memory/860-202-0x0000000000000000-mapping.dmp

Download
memory/860-209-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/888-241-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/888-228-0x0000000000000000-mapping.dmp

Download
memory/920-214-0x0000000000000000-mapping.dmp

Download
memory/920-223-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/928-273-0x0000000000000000-mapping.dmp

Download
memory/952-230-0x0000000000000000-mapping.dmp

Download
memory/964-287-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/964-271-0x0000000000000000-mapping.dmp

Download
memory/1004-259-0x0000000000000000-mapping.dmp

Download
memory/1068-105-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1068-101-0x0000000000000000-mapping.dmp

Download
memory/1132-261-0x0000000000000000-mapping.dmp

Download
memory/1144-210-0x0000000000000000-mapping.dmp

Download
memory/1216-309-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1216-300-0x0000000000000000-mapping.dmp

Download
memory/1228-292-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1228-281-0x0000000000000000-mapping.dmp

Download
memory/1248-153-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1248-149-0x0000000000000000-mapping.dmp

Download
memory/1376-310-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1376-301-0x0000000000000000-mapping.dmp

Download
memory/1392-78-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1392-75-0x0000000000000000-mapping.dmp

Download
memory/1404-234-0x0000000000000000-mapping.dmp

Download
memory/1420-226-0x0000000000000000-mapping.dmp

Download
memory/1428-141-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1428-137-0x0000000000000000-mapping.dmp

Download
memory/1444-299-0x0000000000000000-mapping.dmp

Download
memory/1452-249-0x0000000000000000-mapping.dmp

Download
memory/1452-264-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1504-265-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1504-251-0x0000000000000000-mapping.dmp

Download
memory/1520-63-0x0000000000403670-mapping.dmp

Download
memory/1520-297-0x0000000000000000-mapping.dmp

Download
memory/1520-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1520-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-96-0x0000000000000000-mapping.dmp

Download
memory/1536-104-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1556-285-0x0000000000000000-mapping.dmp

Download
memory/1556-294-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1560-178-0x0000000000000000-mapping.dmp

Download
memory/1560-188-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1572-247-0x0000000000000000-mapping.dmp

Download
memory/1572-263-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1576-277-0x0000000000000000-mapping.dmp

Download
memory/1576-290-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1584-313-0x0000000000000000-mapping.dmp

Download
memory/1592-206-0x0000000000000000-mapping.dmp

Download
memory/1592-220-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1596-117-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1596-113-0x0000000000000000-mapping.dmp

Download
memory/1628-181-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1628-172-0x0000000000000000-mapping.dmp

Download
memory/1660-60-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1660-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1676-69-0x0000000000411000-mapping.dmp

Download
memory/1676-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1676-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1680-296-0x0000000000000000-mapping.dmp

Download
memory/1696-311-0x0000000000000000-mapping.dmp

Download
memory/1704-161-0x0000000000000000-mapping.dmp

Download
memory/1724-238-0x0000000000000000-mapping.dmp

Download
memory/1728-302-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1728-295-0x0000000000000000-mapping.dmp

Download
memory/1736-307-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1736-304-0x0000000000000000-mapping.dmp

Download
memory/1760-185-0x0000000000000000-mapping.dmp

Download
memory/1764-275-0x0000000000000000-mapping.dmp

Download
memory/1784-132-0x0000000000000000-mapping.dmp

Download
memory/1784-140-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1800-116-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1800-108-0x0000000000000000-mapping.dmp

Download
memory/1836-298-0x0000000000000000-mapping.dmp

Download
memory/1844-225-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1844-218-0x0000000000000000-mapping.dmp

Download
memory/1856-232-0x0000000000000000-mapping.dmp

Download
memory/1900-236-0x0000000000000000-mapping.dmp

Download
memory/1956-253-0x0000000000000000-mapping.dmp

Download
memory/1956-266-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1964-257-0x0000000000000000-mapping.dmp

Download
memory/1976-224-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1976-216-0x0000000000000000-mapping.dmp

Download
memory/1980-279-0x0000000000000000-mapping.dmp

Download
memory/1984-283-0x0000000000000000-mapping.dmp

Download
memory/1984-293-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1996-125-0x0000000000000000-mapping.dmp

Download
memory/1996-129-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2012-164-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2012-156-0x0000000000000000-mapping.dmp

Download
memory/2036-267-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2036-255-0x0000000000000000-mapping.dmp

Download
memory/2040-312-0x0000000000000000-mapping.dmp

Download
memory/2040-315-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2044-144-0x0000000000000000-mapping.dmp

Download
memory/2044-152-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads