warzonerat | a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf

Analysis

max time kernel
151s
max time network
110s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
Size

1.8MB
MD5

b6c8a4f497f3d7a552cb01272123a0f5
SHA1

ab35e3b7d7245a7ebffa74898d788c1938c244e9
SHA256

a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf
SHA512

c8507bc0cf0c1ea6e2ba127236fb3d78d93ead60dec2a71c85fa4067047c8df3077f184f383994ef32c5b67559c7a2d065a3c041258cc542ce9ff82e4aa05204

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3276	explorer.exe
1344	explorer.exe
1540	spoolsv.exe
3820	spoolsv.exe
2060	spoolsv.exe
2696	spoolsv.exe
2884	spoolsv.exe
760	spoolsv.exe
3064	spoolsv.exe
3060	spoolsv.exe
2168	spoolsv.exe
3832	spoolsv.exe
868	spoolsv.exe
3900	spoolsv.exe
520	spoolsv.exe
2308	spoolsv.exe
2264	spoolsv.exe
1864	spoolsv.exe
3484	spoolsv.exe
3644	spoolsv.exe
1204	spoolsv.exe
3200	spoolsv.exe
3164	spoolsv.exe
2400	spoolsv.exe
1684	spoolsv.exe
700	spoolsv.exe
3184	spoolsv.exe
1252	spoolsv.exe
3556	spoolsv.exe
3160	spoolsv.exe
1648	spoolsv.exe
1916	spoolsv.exe
2720	spoolsv.exe
3572	spoolsv.exe
2460	spoolsv.exe
3916	spoolsv.exe
3816	spoolsv.exe
3188	spoolsv.exe
4044	spoolsv.exe
4048	spoolsv.exe
2976	spoolsv.exe
3688	spoolsv.exe
3564	spoolsv.exe
3172	spoolsv.exe
3728	spoolsv.exe
2284	spoolsv.exe
516	spoolsv.exe
2220	spoolsv.exe
3944	spoolsv.exe
2104	spoolsv.exe
1416	spoolsv.exe
2288	spoolsv.exe
4104	spoolsv.exe
4128	spoolsv.exe
4152	spoolsv.exe
4192	spoolsv.exe
4216	spoolsv.exe
4240	spoolsv.exe
4268	spoolsv.exe
4304	spoolsv.exe
4328	spoolsv.exe
4348	spoolsv.exe
4368	spoolsv.exe
4392	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exea56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 3912 set thread context of 376	3912	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 3276 set thread context of 1344	3276	explorer.exe	explorer.exe
PID 3276 set thread context of 2156	3276	explorer.exe	diskperf.exe
PID 1540 set thread context of 6744	1540	spoolsv.exe	spoolsv.exe
PID 1540 set thread context of 6772	1540	spoolsv.exe	diskperf.exe
PID 3820 set thread context of 6844	3820	spoolsv.exe	spoolsv.exe
PID 3820 set thread context of 6860	3820	spoolsv.exe	diskperf.exe
PID 2060 set thread context of 6936	2060	spoolsv.exe	spoolsv.exe
PID 2060 set thread context of 6952	2060	spoolsv.exe	diskperf.exe
PID 2696 set thread context of 7008	2696	spoolsv.exe	spoolsv.exe
PID 2696 set thread context of 7036	2696	spoolsv.exe	diskperf.exe
PID 2884 set thread context of 7060	2884	spoolsv.exe	spoolsv.exe
PID 2884 set thread context of 7096	2884	spoolsv.exe	diskperf.exe
PID 760 set thread context of 7116	760	spoolsv.exe	spoolsv.exe
PID 3064 set thread context of 2672	3064	spoolsv.exe	spoolsv.exe
PID 3060 set thread context of 6792	3060	spoolsv.exe	spoolsv.exe
PID 2168 set thread context of 6804	2168	spoolsv.exe	spoolsv.exe
PID 3060 set thread context of 6852	3060	spoolsv.exe	diskperf.exe
PID 2168 set thread context of 6884	2168	spoolsv.exe	diskperf.exe
PID 3832 set thread context of 6944	3832	spoolsv.exe	spoolsv.exe
PID 3832 set thread context of 2376	3832	spoolsv.exe	diskperf.exe
PID 868 set thread context of 6964	868	spoolsv.exe	spoolsv.exe
PID 868 set thread context of 2728	868	spoolsv.exe	diskperf.exe
PID 3900 set thread context of 7048	3900	spoolsv.exe	spoolsv.exe
PID 3900 set thread context of 7104	3900	spoolsv.exe	diskperf.exe
PID 520 set thread context of 7132	520	spoolsv.exe	spoolsv.exe
PID 520 set thread context of 2228	520	spoolsv.exe	diskperf.exe
PID 2308 set thread context of 7108	2308	spoolsv.exe	spoolsv.exe
PID 2308 set thread context of 7120	2308	spoolsv.exe	diskperf.exe
PID 2264 set thread context of 184	2264	spoolsv.exe	spoolsv.exe
PID 2264 set thread context of 2304	2264	spoolsv.exe	diskperf.exe
PID 1864 set thread context of 2508	1864	spoolsv.exe	spoolsv.exe
PID 1864 set thread context of 6748	1864	spoolsv.exe	diskperf.exe
PID 3484 set thread context of 6976	3484	spoolsv.exe	spoolsv.exe
PID 3484 set thread context of 916	3484	spoolsv.exe	diskperf.exe
PID 3644 set thread context of 7112	3644	spoolsv.exe	spoolsv.exe
PID 3644 set thread context of 1316	3644	spoolsv.exe	diskperf.exe
PID 1204 set thread context of 6768	1204	spoolsv.exe	spoolsv.exe
PID 1204 set thread context of 7136	1204	spoolsv.exe	diskperf.exe
PID 3200 set thread context of 4008	3200	spoolsv.exe	spoolsv.exe
PID 3200 set thread context of 2100	3200	spoolsv.exe	diskperf.exe
PID 3164 set thread context of 2508	3164	spoolsv.exe	spoolsv.exe
PID 3164 set thread context of 4404	3164	spoolsv.exe	diskperf.exe
PID 2400 set thread context of 1352	2400	spoolsv.exe	spoolsv.exe
PID 2400 set thread context of 4436	2400	spoolsv.exe	diskperf.exe
PID 1684 set thread context of 4464	1684	spoolsv.exe	spoolsv.exe
PID 1684 set thread context of 1312	1684	spoolsv.exe	diskperf.exe
PID 700 set thread context of 2172	700	spoolsv.exe	spoolsv.exe
PID 700 set thread context of 4520	700	spoolsv.exe	diskperf.exe
PID 3184 set thread context of 4556	3184	spoolsv.exe	spoolsv.exe
PID 3184 set thread context of 2512	3184	spoolsv.exe	diskperf.exe
PID 1252 set thread context of 7132	1252	spoolsv.exe	spoolsv.exe
PID 3556 set thread context of 4464	3556	spoolsv.exe	spoolsv.exe
PID 3160 set thread context of 1672	3160	spoolsv.exe	spoolsv.exe
PID 3160 set thread context of 408	3160	spoolsv.exe	diskperf.exe
PID 1648 set thread context of 3888	1648	spoolsv.exe	spoolsv.exe
PID 1916 set thread context of 4572	1916	spoolsv.exe	spoolsv.exe
PID 1916 set thread context of 4420	1916	spoolsv.exe	diskperf.exe
PID 2720 set thread context of 4696	2720	spoolsv.exe	spoolsv.exe
PID 2720 set thread context of 2268	2720	spoolsv.exe	diskperf.exe
PID 3572 set thread context of 788	3572	spoolsv.exe	spoolsv.exe
PID 3572 set thread context of 4536	3572	spoolsv.exe	diskperf.exe
PID 2460 set thread context of 1196	2460	spoolsv.exe	spoolsv.exe
PID 2460 set thread context of 3260	2460	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exeexplorer.exe

pid	process
376	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
376	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1344 explorer.exe

pid	process
1344	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
376	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
376	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
1344	explorer.exe
6744	spoolsv.exe
6744	spoolsv.exe
6844	spoolsv.exe
6844	spoolsv.exe
6936	spoolsv.exe
6936	spoolsv.exe
7008	spoolsv.exe
7008	spoolsv.exe
7060	spoolsv.exe
7116	spoolsv.exe
7060	spoolsv.exe
7116	spoolsv.exe
2672	spoolsv.exe
2672	spoolsv.exe
6792	spoolsv.exe
6804	spoolsv.exe
6792	spoolsv.exe
6804	spoolsv.exe
6944	spoolsv.exe
6944	spoolsv.exe
6964	spoolsv.exe
6964	spoolsv.exe
7048	spoolsv.exe
7048	spoolsv.exe
7132	spoolsv.exe
7132	spoolsv.exe
7108	spoolsv.exe
7108	spoolsv.exe
184	spoolsv.exe
184	spoolsv.exe
2508	spoolsv.exe
2508	spoolsv.exe
6976	spoolsv.exe
6976	spoolsv.exe
7112	spoolsv.exe
7112	spoolsv.exe
6768	spoolsv.exe
6768	spoolsv.exe
4008	spoolsv.exe
4008	spoolsv.exe
2508	spoolsv.exe
2508	spoolsv.exe
1352	spoolsv.exe
1352	spoolsv.exe
4464	spoolsv.exe
4464	spoolsv.exe
2172	spoolsv.exe
2172	spoolsv.exe
4556	spoolsv.exe
4556	spoolsv.exe
7132	spoolsv.exe
7132	spoolsv.exe
4464	spoolsv.exe
4464	spoolsv.exe
1672	spoolsv.exe
1672	spoolsv.exe
3888	spoolsv.exe
3888	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exea56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3912 wrote to memory of 376	3912	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 3912 wrote to memory of 376	3912	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 3912 wrote to memory of 376	3912	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 3912 wrote to memory of 376	3912	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 3912 wrote to memory of 376	3912	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 3912 wrote to memory of 376	3912	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 3912 wrote to memory of 376	3912	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 3912 wrote to memory of 376	3912	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 3912 wrote to memory of 3588	3912	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	diskperf.exe
PID 3912 wrote to memory of 3588	3912	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	diskperf.exe
PID 3912 wrote to memory of 3588	3912	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	diskperf.exe
PID 376 wrote to memory of 3276	376	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	explorer.exe
PID 376 wrote to memory of 3276	376	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	explorer.exe
PID 376 wrote to memory of 3276	376	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	explorer.exe
PID 3276 wrote to memory of 1344	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 1344	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 1344	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 1344	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 1344	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 1344	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 1344	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 1344	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 2156	3276	explorer.exe	diskperf.exe
PID 3276 wrote to memory of 2156	3276	explorer.exe	diskperf.exe
PID 3276 wrote to memory of 2156	3276	explorer.exe	diskperf.exe
PID 3276 wrote to memory of 2156	3276	explorer.exe	diskperf.exe
PID 3276 wrote to memory of 2156	3276	explorer.exe	diskperf.exe
PID 1344 wrote to memory of 1540	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 1540	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 1540	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3820	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3820	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3820	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 2060	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 2060	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 2060	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 2696	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 2696	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 2696	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 2884	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 2884	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 2884	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 760	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 760	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 760	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3064	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3064	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3064	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3060	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3060	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3060	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 2168	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 2168	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 2168	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3832	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3832	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3832	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 868	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 868	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 868	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3900	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3900	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 3900	1344	explorer.exe	spoolsv.exe
PID 1344 wrote to memory of 520	1344	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
"C:\Users\Admin\AppData\Local\Temp\a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3912

C:\Users\Admin\AppData\Local\Temp\a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
"C:\Users\Admin\AppData\Local\Temp\a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:376

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3276

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6744

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6908

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6844

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6936

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6992

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7008

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7060

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7116

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6944

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6964

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7056

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7048

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7132

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7108

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3068

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:184

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3896

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2508

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4208

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6976

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7052

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7112

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7140

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6768

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4340

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4008

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3032

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2508

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1352

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4452

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4464

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7092

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2172

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4380

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4556

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1972

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7132

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4468

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4464

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4364

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1672

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4648

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4572

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4680

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4696

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4716

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:788

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4744

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1196

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1672

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:652

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4552

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4668

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4840

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4712

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4924

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1668

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1848

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:504

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3340

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3336

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3288

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1196

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3728

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5104

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4116

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4552

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4188

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3336

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4312

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4780

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3112

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4356

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5148

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5036

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3708

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4276

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5216

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2420

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5252

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4176

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5284

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5036

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5220

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4120

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4172

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3388

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2152

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5432

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4232

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5464

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4148

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4120

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4348

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3920

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4392

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4272

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4040

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5640

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:2156

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:3588

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:4308

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:5588

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
b6c8a4f497f3d7a552cb01272123a0f5

SHA1
ab35e3b7d7245a7ebffa74898d788c1938c244e9

SHA256
a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf

SHA512
c8507bc0cf0c1ea6e2ba127236fb3d78d93ead60dec2a71c85fa4067047c8df3077f184f383994ef32c5b67559c7a2d065a3c041258cc542ce9ff82e4aa05204

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
1fe8c257fe63142a156d97f015071af3

SHA1
068f80dfcefddffee925772f6545b6704627e71b

SHA256
17183a0804270ab16c724076452ac74993dcb53b80f1640195fbedb4b9a3e1af

SHA512
414d445533b7d8ad137f7c0d0a33f9029d77c9baad96d4a98273c34bc4f726b17e18564c63eccb8535b5024b334ad9e04e415147f01d0cddbe958aaff538dd87

Download Submit
C:\Windows\System\explorer.exe
MD5
1fe8c257fe63142a156d97f015071af3

SHA1
068f80dfcefddffee925772f6545b6704627e71b

SHA256
17183a0804270ab16c724076452ac74993dcb53b80f1640195fbedb4b9a3e1af

SHA512
414d445533b7d8ad137f7c0d0a33f9029d77c9baad96d4a98273c34bc4f726b17e18564c63eccb8535b5024b334ad9e04e415147f01d0cddbe958aaff538dd87

Download Submit
C:\Windows\System\explorer.exe
MD5
1fe8c257fe63142a156d97f015071af3

SHA1
068f80dfcefddffee925772f6545b6704627e71b

SHA256
17183a0804270ab16c724076452ac74993dcb53b80f1640195fbedb4b9a3e1af

SHA512
414d445533b7d8ad137f7c0d0a33f9029d77c9baad96d4a98273c34bc4f726b17e18564c63eccb8535b5024b334ad9e04e415147f01d0cddbe958aaff538dd87

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
\??\c:\windows\system\explorer.exe
MD5
1fe8c257fe63142a156d97f015071af3

SHA1
068f80dfcefddffee925772f6545b6704627e71b

SHA256
17183a0804270ab16c724076452ac74993dcb53b80f1640195fbedb4b9a3e1af

SHA512
414d445533b7d8ad137f7c0d0a33f9029d77c9baad96d4a98273c34bc4f726b17e18564c63eccb8535b5024b334ad9e04e415147f01d0cddbe958aaff538dd87

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
b757f5c14123a570e0af737bd72dc99a

SHA1
1221cda51909781918a1c251bbbe38ebd132a0b1

SHA256
17819b37a3a545b3708b28dd08bdfccb45bff077b5e59e1ee626146847b6a398

SHA512
372477846b54aec649f09db94f4947a87255fc0e14006d2497dc050c4d5d05fc102bb47391cce6ff180274c66db1ff2fdffa40715ad8aab8f201ad3bce2a4976

Download Submit
memory/376-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/376-116-0x0000000000403670-mapping.dmp

Download
memory/376-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/516-269-0x0000000000000000-mapping.dmp

Download
memory/516-272-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/520-173-0x0000000000000000-mapping.dmp

Download
memory/520-176-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/700-209-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/700-206-0x0000000000000000-mapping.dmp

Download
memory/760-155-0x0000000000000000-mapping.dmp

Download
memory/868-169-0x0000000000000000-mapping.dmp

Download
memory/868-177-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1204-192-0x0000000000000000-mapping.dmp

Download
memory/1252-214-0x0000000000000000-mapping.dmp

Download
memory/1252-219-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/1344-126-0x0000000000403670-mapping.dmp

Download
memory/1416-284-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1416-281-0x0000000000000000-mapping.dmp

Download
memory/1540-144-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1540-139-0x0000000000000000-mapping.dmp

Download
memory/1648-223-0x0000000000000000-mapping.dmp

Download
memory/1648-229-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1684-211-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1684-204-0x0000000000000000-mapping.dmp

Download
memory/1864-187-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1864-183-0x0000000000000000-mapping.dmp

Download
memory/1916-225-0x0000000000000000-mapping.dmp

Download
memory/1916-230-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2060-152-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2060-146-0x0000000000000000-mapping.dmp

Download
memory/2104-286-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2104-279-0x0000000000000000-mapping.dmp

Download
memory/2156-131-0x0000000000411000-mapping.dmp

Download
memory/2156-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2156-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2168-161-0x0000000000000000-mapping.dmp

Download
memory/2168-165-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2220-283-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2220-275-0x0000000000000000-mapping.dmp

Download
memory/2264-186-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2264-181-0x0000000000000000-mapping.dmp

Download
memory/2284-267-0x0000000000000000-mapping.dmp

Download
memory/2284-274-0x0000000000570000-0x000000000061E000-memory.dmp

Filesize
696KB

Download
memory/2288-287-0x0000000000000000-mapping.dmp

Download
memory/2288-295-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2308-179-0x0000000000000000-mapping.dmp

Download
memory/2308-185-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2400-202-0x0000000000000000-mapping.dmp

Download
memory/2400-210-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2460-235-0x0000000000000000-mapping.dmp

Download
memory/2460-240-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/2696-153-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2696-148-0x0000000000000000-mapping.dmp

Download
memory/2720-232-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2720-228-0x0000000000000000-mapping.dmp

Download
memory/2884-150-0x0000000000000000-mapping.dmp

Download
memory/2884-154-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2976-254-0x0000000000000000-mapping.dmp

Download
memory/2976-260-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3060-166-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3060-159-0x0000000000000000-mapping.dmp

Download
memory/3064-164-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3064-157-0x0000000000000000-mapping.dmp

Download
memory/3160-221-0x0000000000000000-mapping.dmp

Download
memory/3160-227-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3164-200-0x0000000000000000-mapping.dmp

Download
memory/3164-208-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3172-271-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3172-263-0x0000000000000000-mapping.dmp

Download
memory/3184-218-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3184-212-0x0000000000000000-mapping.dmp

Download
memory/3188-252-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3188-244-0x0000000000000000-mapping.dmp

Download
memory/3200-199-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3200-194-0x0000000000000000-mapping.dmp

Download
memory/3276-124-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/3276-121-0x0000000000000000-mapping.dmp

Download
memory/3484-196-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3484-188-0x0000000000000000-mapping.dmp

Download
memory/3556-220-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3556-216-0x0000000000000000-mapping.dmp

Download
memory/3564-262-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3564-258-0x0000000000000000-mapping.dmp

Download
memory/3572-233-0x0000000000000000-mapping.dmp

Download
memory/3572-239-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/3644-190-0x0000000000000000-mapping.dmp

Download
memory/3644-197-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3688-261-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3688-256-0x0000000000000000-mapping.dmp

Download
memory/3728-273-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3728-265-0x0000000000000000-mapping.dmp

Download
memory/3816-250-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/3816-242-0x0000000000000000-mapping.dmp

Download
memory/3820-145-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3820-142-0x0000000000000000-mapping.dmp

Download
memory/3832-167-0x0000000000000000-mapping.dmp

Download
memory/3832-175-0x0000000000620000-0x000000000076A000-memory.dmp

Filesize
1.3MB

Download
memory/3900-171-0x0000000000000000-mapping.dmp

Download
memory/3900-178-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3912-114-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/3916-241-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3916-237-0x0000000000000000-mapping.dmp

Download
memory/3944-277-0x0000000000000000-mapping.dmp

Download
memory/3944-285-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4044-246-0x0000000000000000-mapping.dmp

Download
memory/4044-253-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4048-248-0x0000000000000000-mapping.dmp

Download
memory/4048-251-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4104-289-0x0000000000000000-mapping.dmp

Download
memory/4104-297-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4128-291-0x0000000000000000-mapping.dmp

Download
memory/4128-298-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4152-296-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4152-293-0x0000000000000000-mapping.dmp

Download
memory/4192-305-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4192-299-0x0000000000000000-mapping.dmp

Download
memory/4216-301-0x0000000000000000-mapping.dmp

Download
memory/4216-307-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4240-303-0x0000000000000000-mapping.dmp

Download
memory/4240-310-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4268-306-0x0000000000000000-mapping.dmp

Download
memory/4268-309-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4304-311-0x0000000000000000-mapping.dmp

Download
memory/4304-315-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4328-313-0x0000000000000000-mapping.dmp

Download
memory/4328-316-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4348-314-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads