warzonerat | 9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339

Analysis

max time kernel
150s
max time network
11s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
Size

1.8MB
MD5

fd27da880372209151379289b0e57d11
SHA1

9d9236804d7a0574ebff234bec1bea519497c27f
SHA256

9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339
SHA512

d69b43d30cefdf0255c96763f1e53469ff3c0b1dada711b606959616e7af0608fd4cdc6e4b86b2cf174fb856e6ab01f089d6bf295217f6966c8b2576b34c338d

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
428	explorer.exe
1660	explorer.exe
1540	spoolsv.exe
1384	spoolsv.exe
1176	spoolsv.exe
1708	spoolsv.exe
1584	spoolsv.exe
1812	spoolsv.exe
1976	spoolsv.exe
1948	spoolsv.exe
896	spoolsv.exe
936	spoolsv.exe
1696	spoolsv.exe
676	spoolsv.exe
1132	spoolsv.exe
820	spoolsv.exe
1620	spoolsv.exe
1776	spoolsv.exe
816	spoolsv.exe
1288	spoolsv.exe
1920	spoolsv.exe
1652	spoolsv.exe
984	spoolsv.exe
288	spoolsv.exe
1624	spoolsv.exe
1180	spoolsv.exe
1648	spoolsv.exe
1984	spoolsv.exe
2024	spoolsv.exe
1656	spoolsv.exe
912	spoolsv.exe
1372	spoolsv.exe
524	spoolsv.exe
308	spoolsv.exe
1452	spoolsv.exe
1676	spoolsv.exe
1392	spoolsv.exe
1544	spoolsv.exe
1808	spoolsv.exe
740	spoolsv.exe
2044	spoolsv.exe
916	spoolsv.exe
428	spoolsv.exe
632	spoolsv.exe
572	spoolsv.exe
512	spoolsv.exe
1772	spoolsv.exe
2032	spoolsv.exe
1720	spoolsv.exe
1280	spoolsv.exe
1440	spoolsv.exe
520	spoolsv.exe
1056	spoolsv.exe
556	spoolsv.exe
268	spoolsv.exe
944	spoolsv.exe
1684	spoolsv.exe
652	spoolsv.exe
1072	spoolsv.exe
852	spoolsv.exe
540	spoolsv.exe
860	spoolsv.exe
1956	spoolsv.exe
1228	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exeexplorer.exe

pid	process
1364	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
1364	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 452 set thread context of 1364	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 452 set thread context of 1640	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	diskperf.exe
PID 428 set thread context of 1660	428	explorer.exe	explorer.exe
PID 428 set thread context of 1232	428	explorer.exe	diskperf.exe
PID 1540 set thread context of 3148	1540	spoolsv.exe	spoolsv.exe
PID 1540 set thread context of 3156	1540	spoolsv.exe	diskperf.exe
PID 1384 set thread context of 3192	1384	spoolsv.exe	spoolsv.exe
PID 1384 set thread context of 3200	1384	spoolsv.exe	diskperf.exe
PID 1176 set thread context of 3228	1176	spoolsv.exe	spoolsv.exe
PID 1176 set thread context of 3236	1176	spoolsv.exe	diskperf.exe
PID 1708 set thread context of 3264	1708	spoolsv.exe	spoolsv.exe
PID 1708 set thread context of 3272	1708	spoolsv.exe	diskperf.exe
PID 1584 set thread context of 3292	1584	spoolsv.exe	spoolsv.exe
PID 1584 set thread context of 3300	1584	spoolsv.exe	diskperf.exe
PID 1812 set thread context of 3312	1812	spoolsv.exe	spoolsv.exe
PID 1812 set thread context of 3320	1812	spoolsv.exe	diskperf.exe
PID 1976 set thread context of 3348	1976	spoolsv.exe	spoolsv.exe
PID 1976 set thread context of 3356	1976	spoolsv.exe	diskperf.exe
PID 1948 set thread context of 3380	1948	spoolsv.exe	spoolsv.exe
PID 1948 set thread context of 3388	1948	spoolsv.exe	diskperf.exe
PID 896 set thread context of 3416	896	spoolsv.exe	spoolsv.exe
PID 896 set thread context of 3424	896	spoolsv.exe	diskperf.exe
PID 936 set thread context of 3452	936	spoolsv.exe	spoolsv.exe
PID 936 set thread context of 3460	936	spoolsv.exe	diskperf.exe
PID 1696 set thread context of 3484	1696	spoolsv.exe	spoolsv.exe
PID 1696 set thread context of 3492	1696	spoolsv.exe	diskperf.exe
PID 676 set thread context of 3516	676	spoolsv.exe	spoolsv.exe
PID 676 set thread context of 3524	676	spoolsv.exe	diskperf.exe
PID 1132 set thread context of 3548	1132	spoolsv.exe	spoolsv.exe
PID 1132 set thread context of 3556	1132	spoolsv.exe	diskperf.exe
PID 820 set thread context of 3580	820	spoolsv.exe	spoolsv.exe
PID 820 set thread context of 3588	820	spoolsv.exe	diskperf.exe
PID 1620 set thread context of 3616	1620	spoolsv.exe	spoolsv.exe
PID 1620 set thread context of 3624	1620	spoolsv.exe	diskperf.exe
PID 1776 set thread context of 3644	1776	spoolsv.exe	spoolsv.exe
PID 1776 set thread context of 3656	1776	spoolsv.exe	diskperf.exe
PID 816 set thread context of 3676	816	spoolsv.exe	spoolsv.exe
PID 816 set thread context of 3684	816	spoolsv.exe	diskperf.exe
PID 1288 set thread context of 3712	1288	spoolsv.exe	spoolsv.exe
PID 1288 set thread context of 3720	1288	spoolsv.exe	diskperf.exe
PID 1920 set thread context of 3748	1920	spoolsv.exe	spoolsv.exe
PID 1920 set thread context of 3760	1920	spoolsv.exe	diskperf.exe
PID 1652 set thread context of 3776	1652	spoolsv.exe	spoolsv.exe
PID 1652 set thread context of 3784	1652	spoolsv.exe	diskperf.exe
PID 984 set thread context of 3812	984	spoolsv.exe	spoolsv.exe
PID 288 set thread context of 3824	288	spoolsv.exe	spoolsv.exe
PID 288 set thread context of 3832	288	spoolsv.exe	diskperf.exe
PID 1180 set thread context of 3856	1180	spoolsv.exe	spoolsv.exe
PID 984 set thread context of 3848	984	spoolsv.exe	diskperf.exe
PID 1180 set thread context of 3864	1180	spoolsv.exe	diskperf.exe
PID 1624 set thread context of 3872	1624	spoolsv.exe	spoolsv.exe
PID 1648 set thread context of 3880	1648	spoolsv.exe	spoolsv.exe
PID 1624 set thread context of 3892	1624	spoolsv.exe	diskperf.exe
PID 1648 set thread context of 3900	1648	spoolsv.exe	diskperf.exe
PID 1984 set thread context of 3908	1984	spoolsv.exe	spoolsv.exe
PID 1984 set thread context of 3928	1984	spoolsv.exe	diskperf.exe
PID 1656 set thread context of 3944	1656	spoolsv.exe	spoolsv.exe
PID 2024 set thread context of 3936	2024	spoolsv.exe	spoolsv.exe
PID 1656 set thread context of 3952	1656	spoolsv.exe	diskperf.exe
PID 2024 set thread context of 3960	2024	spoolsv.exe	diskperf.exe
PID 1372 set thread context of 3968	1372	spoolsv.exe	spoolsv.exe
PID 912 set thread context of 3976	912	spoolsv.exe	spoolsv.exe
PID 1372 set thread context of 3984	1372	spoolsv.exe	diskperf.exe
PID 912 set thread context of 4004	912	spoolsv.exe	diskperf.exe

Drops file in Windows directory 5 IoCs

Processes:

explorer.exe9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exeexplorer.exe

pid	process
1364	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1660 explorer.exe

pid	process
1660	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1364	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
1364	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
1660	explorer.exe
3148	spoolsv.exe
3148	spoolsv.exe
3192	spoolsv.exe
3192	spoolsv.exe
3228	spoolsv.exe
3228	spoolsv.exe
3264	spoolsv.exe
3264	spoolsv.exe
3292	spoolsv.exe
3292	spoolsv.exe
3312	spoolsv.exe
3312	spoolsv.exe
3348	spoolsv.exe
3348	spoolsv.exe
3380	spoolsv.exe
3380	spoolsv.exe
3416	spoolsv.exe
3416	spoolsv.exe
3452	spoolsv.exe
3452	spoolsv.exe
3484	spoolsv.exe
3484	spoolsv.exe
3516	spoolsv.exe
3516	spoolsv.exe
3548	spoolsv.exe
3548	spoolsv.exe
3580	spoolsv.exe
3580	spoolsv.exe
3616	spoolsv.exe
3616	spoolsv.exe
3644	spoolsv.exe
3644	spoolsv.exe
3676	spoolsv.exe
3676	spoolsv.exe
3712	spoolsv.exe
3712	spoolsv.exe
3748	spoolsv.exe
3748	spoolsv.exe
3776	spoolsv.exe
3776	spoolsv.exe
3812	spoolsv.exe
3812	spoolsv.exe
3824	spoolsv.exe
3824	spoolsv.exe
3856	spoolsv.exe
3856	spoolsv.exe
3872	spoolsv.exe
3872	spoolsv.exe
3880	spoolsv.exe
3880	spoolsv.exe
3908	spoolsv.exe
3908	spoolsv.exe
3944	spoolsv.exe
3936	spoolsv.exe
3944	spoolsv.exe
3936	spoolsv.exe
3968	spoolsv.exe
3968	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 452 wrote to memory of 1364	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 452 wrote to memory of 1364	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 452 wrote to memory of 1364	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 452 wrote to memory of 1364	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 452 wrote to memory of 1364	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 452 wrote to memory of 1364	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 452 wrote to memory of 1364	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 452 wrote to memory of 1364	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 452 wrote to memory of 1364	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 452 wrote to memory of 1640	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	diskperf.exe
PID 452 wrote to memory of 1640	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	diskperf.exe
PID 452 wrote to memory of 1640	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	diskperf.exe
PID 452 wrote to memory of 1640	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	diskperf.exe
PID 452 wrote to memory of 1640	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	diskperf.exe
PID 452 wrote to memory of 1640	452	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	diskperf.exe
PID 1364 wrote to memory of 428	1364	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	explorer.exe
PID 1364 wrote to memory of 428	1364	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	explorer.exe
PID 1364 wrote to memory of 428	1364	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	explorer.exe
PID 1364 wrote to memory of 428	1364	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	explorer.exe
PID 428 wrote to memory of 1660	428	explorer.exe	explorer.exe
PID 428 wrote to memory of 1660	428	explorer.exe	explorer.exe
PID 428 wrote to memory of 1660	428	explorer.exe	explorer.exe
PID 428 wrote to memory of 1660	428	explorer.exe	explorer.exe
PID 428 wrote to memory of 1660	428	explorer.exe	explorer.exe
PID 428 wrote to memory of 1660	428	explorer.exe	explorer.exe
PID 428 wrote to memory of 1660	428	explorer.exe	explorer.exe
PID 428 wrote to memory of 1660	428	explorer.exe	explorer.exe
PID 428 wrote to memory of 1660	428	explorer.exe	explorer.exe
PID 428 wrote to memory of 1232	428	explorer.exe	diskperf.exe
PID 428 wrote to memory of 1232	428	explorer.exe	diskperf.exe
PID 428 wrote to memory of 1232	428	explorer.exe	diskperf.exe
PID 428 wrote to memory of 1232	428	explorer.exe	diskperf.exe
PID 428 wrote to memory of 1232	428	explorer.exe	diskperf.exe
PID 428 wrote to memory of 1232	428	explorer.exe	diskperf.exe
PID 1660 wrote to memory of 1540	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1540	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1540	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1540	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1384	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1384	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1384	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1384	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1176	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1176	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1176	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1176	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1708	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1708	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1708	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1708	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1584	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1584	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1584	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1584	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1812	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1812	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1812	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1812	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1976	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1976	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1976	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1976	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1948	1660	explorer.exe	spoolsv.exe
PID 1660 wrote to memory of 1948	1660	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
"C:\Users\Admin\AppData\Local\Temp\9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\Temp\9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
"C:\Users\Admin\AppData\Local\Temp\9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:428

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3148

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3192

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3212

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3228

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3248

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3264

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3284

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3292

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3312

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3332

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3348

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3368

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3380

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3400

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3416

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3436

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3452

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3472

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3484

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3504

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3516

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3536

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3548

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3568

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3608

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3616

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3636

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3644

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3668

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3676

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3712

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3732

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3748

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3776

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3800

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3812

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3840

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3872

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3880

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3908

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3920

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3944

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3968

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3996

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4012

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4040

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:616

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3208

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4064

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3256

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3316

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3180

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1808

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3292

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1276

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3412

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3456

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3452

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3520

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:560

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1048

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3604

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3648

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3704

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3680

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3728

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3796

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3880

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3860

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1188

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3820

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3940

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1588

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3992

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3968

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3176

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3180

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3328

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1668

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3340

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1592

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3292

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Adds Run key to start application
PID:1968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2020

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Adds Run key to start application
PID:1184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Adds Run key to start application
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3548

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3140

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1232

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1640

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
fd27da880372209151379289b0e57d11

SHA1
9d9236804d7a0574ebff234bec1bea519497c27f

SHA256
9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339

SHA512
d69b43d30cefdf0255c96763f1e53469ff3c0b1dada711b606959616e7af0608fd4cdc6e4b86b2cf174fb856e6ab01f089d6bf295217f6966c8b2576b34c338d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
f94b8a964ce3aff62910ae7cc5187b96

SHA1
22adb49c70bc276d8031f241edae335633d18fa1

SHA256
2831547858b194a7861d612cf10569fb97be5977610ba8336a5c0923d3e126e0

SHA512
8237ab9ab7a25b840d38547b2ebdb595d039a099f4ae89db98941e33084dbb90ffa57854fc4f8fe633719e531a585e88d3d613c6a734940a07e3008d2bfc7fa5

Download Submit
C:\Windows\system\explorer.exe
MD5
f94b8a964ce3aff62910ae7cc5187b96

SHA1
22adb49c70bc276d8031f241edae335633d18fa1

SHA256
2831547858b194a7861d612cf10569fb97be5977610ba8336a5c0923d3e126e0

SHA512
8237ab9ab7a25b840d38547b2ebdb595d039a099f4ae89db98941e33084dbb90ffa57854fc4f8fe633719e531a585e88d3d613c6a734940a07e3008d2bfc7fa5

Download Submit
C:\Windows\system\explorer.exe
MD5
f94b8a964ce3aff62910ae7cc5187b96

SHA1
22adb49c70bc276d8031f241edae335633d18fa1

SHA256
2831547858b194a7861d612cf10569fb97be5977610ba8336a5c0923d3e126e0

SHA512
8237ab9ab7a25b840d38547b2ebdb595d039a099f4ae89db98941e33084dbb90ffa57854fc4f8fe633719e531a585e88d3d613c6a734940a07e3008d2bfc7fa5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\??\c:\windows\system\explorer.exe
MD5
f94b8a964ce3aff62910ae7cc5187b96

SHA1
22adb49c70bc276d8031f241edae335633d18fa1

SHA256
2831547858b194a7861d612cf10569fb97be5977610ba8336a5c0923d3e126e0

SHA512
8237ab9ab7a25b840d38547b2ebdb595d039a099f4ae89db98941e33084dbb90ffa57854fc4f8fe633719e531a585e88d3d613c6a734940a07e3008d2bfc7fa5

Download Submit
\Windows\system\explorer.exe
MD5
f94b8a964ce3aff62910ae7cc5187b96

SHA1
22adb49c70bc276d8031f241edae335633d18fa1

SHA256
2831547858b194a7861d612cf10569fb97be5977610ba8336a5c0923d3e126e0

SHA512
8237ab9ab7a25b840d38547b2ebdb595d039a099f4ae89db98941e33084dbb90ffa57854fc4f8fe633719e531a585e88d3d613c6a734940a07e3008d2bfc7fa5

Download Submit
\Windows\system\explorer.exe
MD5
f94b8a964ce3aff62910ae7cc5187b96

SHA1
22adb49c70bc276d8031f241edae335633d18fa1

SHA256
2831547858b194a7861d612cf10569fb97be5977610ba8336a5c0923d3e126e0

SHA512
8237ab9ab7a25b840d38547b2ebdb595d039a099f4ae89db98941e33084dbb90ffa57854fc4f8fe633719e531a585e88d3d613c6a734940a07e3008d2bfc7fa5

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
\Windows\system\spoolsv.exe
MD5
45e3f49d80b67bc6915190da212623fa

SHA1
cd0c3c3b2bde4d8430c1de182193bd39828d356c

SHA256
468c37162c1a31660d34e468ba7f64d2696c9b69d682e1e19ede0275c2f8a529

SHA512
b1946830368e91f4f776524c08f61651d03953c44d8b59f545c8e206dafdea0b07f9c7f893368ac782de54ba128de687e56ffe53dbd489b88f45d96dec1d5d87

Download Submit
memory/268-304-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/268-298-0x0000000000000000-mapping.dmp

Download
memory/288-213-0x0000000000000000-mapping.dmp

Download
memory/288-224-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/308-240-0x0000000000000000-mapping.dmp

Download
memory/308-251-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/428-78-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/428-271-0x0000000000000000-mapping.dmp

Download
memory/428-74-0x0000000000000000-mapping.dmp

Download
memory/452-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/452-60-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/512-277-0x0000000000000000-mapping.dmp

Download
memory/520-301-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/520-295-0x0000000000000000-mapping.dmp

Download
memory/524-238-0x0000000000000000-mapping.dmp

Download
memory/540-310-0x0000000000000000-mapping.dmp

Download
memory/556-297-0x0000000000000000-mapping.dmp

Download
memory/572-275-0x0000000000000000-mapping.dmp

Download
memory/632-273-0x0000000000000000-mapping.dmp

Download
memory/652-307-0x0000000000000000-mapping.dmp

Download
memory/676-160-0x0000000000000000-mapping.dmp

Download
memory/676-170-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/740-259-0x0000000000000000-mapping.dmp

Download
memory/816-205-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/816-192-0x0000000000000000-mapping.dmp

Download
memory/820-174-0x0000000000000000-mapping.dmp

Download
memory/820-187-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/852-315-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/852-309-0x0000000000000000-mapping.dmp

Download
memory/896-142-0x0000000000000000-mapping.dmp

Download
memory/896-147-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/912-234-0x0000000000000000-mapping.dmp

Download
memory/912-247-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/916-263-0x0000000000000000-mapping.dmp

Download
memory/916-270-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/936-162-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/936-150-0x0000000000000000-mapping.dmp

Download
memory/944-305-0x0000000000000000-mapping.dmp

Download
memory/944-311-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/984-223-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/984-211-0x0000000000000000-mapping.dmp

Download
memory/1056-296-0x0000000000000000-mapping.dmp

Download
memory/1072-308-0x0000000000000000-mapping.dmp

Download
memory/1072-314-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1132-167-0x0000000000000000-mapping.dmp

Download
memory/1132-171-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1176-116-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1176-107-0x0000000000000000-mapping.dmp

Download
memory/1180-217-0x0000000000000000-mapping.dmp

Download
memory/1180-227-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1232-86-0x0000000000411000-mapping.dmp

Download
memory/1280-292-0x0000000000000000-mapping.dmp

Download
memory/1288-206-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1288-197-0x0000000000000000-mapping.dmp

Download
memory/1364-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1364-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1364-63-0x0000000000403670-mapping.dmp

Download
memory/1372-249-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1372-236-0x0000000000000000-mapping.dmp

Download
memory/1384-102-0x0000000000000000-mapping.dmp

Download
memory/1384-114-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1392-253-0x0000000000000000-mapping.dmp

Download
memory/1392-265-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1440-294-0x0000000000000000-mapping.dmp

Download
memory/1452-252-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1452-242-0x0000000000000000-mapping.dmp

Download
memory/1540-100-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1540-96-0x0000000000000000-mapping.dmp

Download
memory/1544-266-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1544-255-0x0000000000000000-mapping.dmp

Download
memory/1584-128-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1584-119-0x0000000000000000-mapping.dmp

Download
memory/1620-189-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1620-179-0x0000000000000000-mapping.dmp

Download
memory/1624-215-0x0000000000000000-mapping.dmp

Download
memory/1640-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1640-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1640-66-0x0000000000411000-mapping.dmp

Download
memory/1648-219-0x0000000000000000-mapping.dmp

Download
memory/1648-228-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1652-208-0x0000000000000000-mapping.dmp

Download
memory/1652-210-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1656-232-0x0000000000000000-mapping.dmp

Download
memory/1656-245-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1660-81-0x0000000000403670-mapping.dmp

Download
memory/1676-244-0x0000000000000000-mapping.dmp

Download
memory/1684-306-0x0000000000000000-mapping.dmp

Download
memory/1684-312-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1696-164-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1696-155-0x0000000000000000-mapping.dmp

Download
memory/1708-127-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1708-112-0x0000000000000000-mapping.dmp

Download
memory/1720-286-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1720-283-0x0000000000000000-mapping.dmp

Download
memory/1772-279-0x0000000000000000-mapping.dmp

Download
memory/1772-290-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1776-184-0x0000000000000000-mapping.dmp

Download
memory/1776-188-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1808-257-0x0000000000000000-mapping.dmp

Download
memory/1808-267-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1812-129-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1812-124-0x0000000000000000-mapping.dmp

Download
memory/1920-202-0x0000000000000000-mapping.dmp

Download
memory/1920-207-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1948-137-0x0000000000000000-mapping.dmp

Download
memory/1976-132-0x0000000000000000-mapping.dmp

Download
memory/1976-145-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1984-221-0x0000000000000000-mapping.dmp

Download
memory/1984-230-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2024-225-0x0000000000000000-mapping.dmp

Download
memory/2024-231-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2032-281-0x0000000000000000-mapping.dmp

Download
memory/2044-261-0x0000000000000000-mapping.dmp

Download
memory/2044-269-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads