warzonerat | 33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5

Analysis

max time kernel
150s
max time network
132s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
Size

1.8MB
MD5

b9e4fdb4f1d1e50fb2b1bc6f8e648e91
SHA1

afe3e9370a5fb240ae917a9089fc07b6a54a7bd6
SHA256

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5
SHA512

ff4f45aca5c634e0e64623c8dd1e5521b502713166c5cc01699d3eef24b39e3ae7238d8afa61457c418d242cadb9505ba09a7b50cfac55cf5fa4855c7bdb2cad

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3696	explorer.exe
2168	explorer.exe
2848	spoolsv.exe
764	spoolsv.exe
2648	spoolsv.exe
3888	spoolsv.exe
2612	spoolsv.exe
3788	spoolsv.exe
1596	spoolsv.exe
3752	spoolsv.exe
3980	spoolsv.exe
808	spoolsv.exe
3852	spoolsv.exe
2304	spoolsv.exe
3440	spoolsv.exe
3600	spoolsv.exe
1212	spoolsv.exe
580	spoolsv.exe
4072	spoolsv.exe
740	spoolsv.exe
3292	spoolsv.exe
2320	spoolsv.exe
2668	spoolsv.exe
3008	spoolsv.exe
1092	spoolsv.exe
2064	spoolsv.exe
2200	spoolsv.exe
3696	spoolsv.exe
1684	spoolsv.exe
184	spoolsv.exe
2520	spoolsv.exe
928	spoolsv.exe
3088	spoolsv.exe
2148	spoolsv.exe
3484	spoolsv.exe
3000	spoolsv.exe
1268	spoolsv.exe
2660	spoolsv.exe
3996	spoolsv.exe
3612	spoolsv.exe
2628	spoolsv.exe
2544	spoolsv.exe
1392	spoolsv.exe
2704	spoolsv.exe
2864	spoolsv.exe
2420	spoolsv.exe
2068	spoolsv.exe
4108	spoolsv.exe
4132	spoolsv.exe
4156	spoolsv.exe
4192	spoolsv.exe
4216	spoolsv.exe
4240	spoolsv.exe
4264	spoolsv.exe
4304	spoolsv.exe
4328	spoolsv.exe
4352	spoolsv.exe
4388	spoolsv.exe
4412	spoolsv.exe
4436	spoolsv.exe
4460	spoolsv.exe
4492	spoolsv.exe
4508	spoolsv.exe
4524	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 61 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 3368 set thread context of 3124	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 3368 set thread context of 1116	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	diskperf.exe
PID 3696 set thread context of 2168	3696	explorer.exe	explorer.exe
PID 3696 set thread context of 1744	3696	explorer.exe	diskperf.exe
PID 2848 set thread context of 6656	2848	spoolsv.exe	spoolsv.exe
PID 764 set thread context of 6736	764	spoolsv.exe	spoolsv.exe
PID 2648 set thread context of 6800	2648	spoolsv.exe	spoolsv.exe
PID 3888 set thread context of 6864	3888	spoolsv.exe	spoolsv.exe
PID 3888 set thread context of 6880	3888	spoolsv.exe	diskperf.exe
PID 2612 set thread context of 6944	2612	spoolsv.exe	spoolsv.exe
PID 3788 set thread context of 6984	3788	spoolsv.exe	spoolsv.exe
PID 3788 set thread context of 7004	3788	spoolsv.exe	diskperf.exe
PID 1596 set thread context of 7068	1596	spoolsv.exe	spoolsv.exe
PID 1596 set thread context of 7088	1596	spoolsv.exe	diskperf.exe
PID 3752 set thread context of 7100	3752	spoolsv.exe	spoolsv.exe
PID 3980 set thread context of 7160	3980	spoolsv.exe	spoolsv.exe
PID 3980 set thread context of 212	3980	spoolsv.exe	diskperf.exe
PID 808 set thread context of 6712	808	spoolsv.exe	spoolsv.exe
PID 808 set thread context of 6752	808	spoolsv.exe	diskperf.exe
PID 3852 set thread context of 6768	3852	spoolsv.exe	spoolsv.exe
PID 3852 set thread context of 6776	3852	spoolsv.exe	diskperf.exe
PID 2304 set thread context of 6816	2304	spoolsv.exe	spoolsv.exe
PID 2304 set thread context of 6836	2304	spoolsv.exe	diskperf.exe
PID 3440 set thread context of 6904	3440	spoolsv.exe	spoolsv.exe
PID 3600 set thread context of 6964	3600	spoolsv.exe	spoolsv.exe
PID 3600 set thread context of 6972	3600	spoolsv.exe	diskperf.exe
PID 1212 set thread context of 7044	1212	spoolsv.exe	spoolsv.exe
PID 1212 set thread context of 7052	1212	spoolsv.exe	diskperf.exe
PID 580 set thread context of 7112	580	spoolsv.exe	spoolsv.exe
PID 4072 set thread context of 7152	4072	spoolsv.exe	spoolsv.exe
PID 4072 set thread context of 7104	4072	spoolsv.exe	diskperf.exe
PID 740 set thread context of 6680	740	spoolsv.exe	spoolsv.exe
PID 740 set thread context of 7084	740	spoolsv.exe	diskperf.exe
PID 3292 set thread context of 6756	3292	spoolsv.exe	spoolsv.exe
PID 3292 set thread context of 4036	3292	spoolsv.exe	diskperf.exe
PID 2320 set thread context of 2264	2320	spoolsv.exe	spoolsv.exe
PID 2320 set thread context of 6892	2320	spoolsv.exe	diskperf.exe
PID 2668 set thread context of 6920	2668	spoolsv.exe	spoolsv.exe
PID 3008 set thread context of 2860	3008	spoolsv.exe	spoolsv.exe
PID 3008 set thread context of 3568	3008	spoolsv.exe	diskperf.exe
PID 1092 set thread context of 2496	1092	spoolsv.exe	spoolsv.exe
PID 1092 set thread context of 2296	1092	spoolsv.exe	diskperf.exe
PID 2064 set thread context of 3212	2064	spoolsv.exe	spoolsv.exe
PID 2064 set thread context of 7140	2064	spoolsv.exe	diskperf.exe
PID 2200 set thread context of 7156	2200	spoolsv.exe	spoolsv.exe
PID 2200 set thread context of 2744	2200	spoolsv.exe	diskperf.exe
PID 3696 set thread context of 7108	3696	spoolsv.exe	spoolsv.exe
PID 3696 set thread context of 4500	3696	spoolsv.exe	diskperf.exe
PID 1684 set thread context of 4536	1684	spoolsv.exe	spoolsv.exe
PID 1684 set thread context of 4548	1684	spoolsv.exe	diskperf.exe
PID 184 set thread context of 2264	184	spoolsv.exe	spoolsv.exe
PID 184 set thread context of 1944	184	spoolsv.exe	diskperf.exe
PID 2520 set thread context of 4616	2520	spoolsv.exe	spoolsv.exe
PID 2520 set thread context of 4628	2520	spoolsv.exe	diskperf.exe
PID 928 set thread context of 4664	928	spoolsv.exe	spoolsv.exe
PID 928 set thread context of 1752	928	spoolsv.exe	diskperf.exe
PID 3088 set thread context of 4696	3088	spoolsv.exe	spoolsv.exe
PID 3088 set thread context of 568	3088	spoolsv.exe	diskperf.exe
PID 2148 set thread context of 2212	2148	spoolsv.exe	spoolsv.exe
PID 2148 set thread context of 4740	2148	spoolsv.exe	diskperf.exe
PID 3484 set thread context of 1244	3484	spoolsv.exe	spoolsv.exe
PID 3000 set thread context of 4812	3000	spoolsv.exe	spoolsv.exe
PID 3000 set thread context of 4260	3000	spoolsv.exe	diskperf.exe
PID 1268 set thread context of 4860	1268	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 5 IoCs

Processes:

spoolsv.exeexplorer.exe33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exeexplorer.exe

pid	process
3124	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
3124	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2168 explorer.exe

pid	process
2168	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
3124	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
3124	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
2168	explorer.exe
6656	spoolsv.exe
6656	spoolsv.exe
6736	spoolsv.exe
6736	spoolsv.exe
6800	spoolsv.exe
6800	spoolsv.exe
6864	spoolsv.exe
6864	spoolsv.exe
6944	spoolsv.exe
6944	spoolsv.exe
6984	spoolsv.exe
6984	spoolsv.exe
7068	spoolsv.exe
7100	spoolsv.exe
7068	spoolsv.exe
7100	spoolsv.exe
7160	spoolsv.exe
7160	spoolsv.exe
6712	spoolsv.exe
6712	spoolsv.exe
6768	spoolsv.exe
6768	spoolsv.exe
6816	spoolsv.exe
6816	spoolsv.exe
6904	spoolsv.exe
6904	spoolsv.exe
6964	spoolsv.exe
6964	spoolsv.exe
7044	spoolsv.exe
7044	spoolsv.exe
7112	spoolsv.exe
7112	spoolsv.exe
7152	spoolsv.exe
7152	spoolsv.exe
6680	spoolsv.exe
6680	spoolsv.exe
6756	spoolsv.exe
6756	spoolsv.exe
2264	spoolsv.exe
2264	spoolsv.exe
6920	spoolsv.exe
6920	spoolsv.exe
2860	spoolsv.exe
2860	spoolsv.exe
2496	spoolsv.exe
2496	spoolsv.exe
3212	spoolsv.exe
3212	spoolsv.exe
7156	spoolsv.exe
7156	spoolsv.exe
7108	spoolsv.exe
7108	spoolsv.exe
4536	spoolsv.exe
4536	spoolsv.exe
2264	spoolsv.exe
2264	spoolsv.exe
4616	spoolsv.exe
4616	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3368 wrote to memory of 3124	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 3368 wrote to memory of 3124	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 3368 wrote to memory of 3124	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 3368 wrote to memory of 3124	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 3368 wrote to memory of 3124	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 3368 wrote to memory of 3124	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 3368 wrote to memory of 3124	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 3368 wrote to memory of 3124	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
PID 3368 wrote to memory of 1116	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	diskperf.exe
PID 3368 wrote to memory of 1116	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	diskperf.exe
PID 3368 wrote to memory of 1116	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	diskperf.exe
PID 3368 wrote to memory of 1116	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	diskperf.exe
PID 3368 wrote to memory of 1116	3368	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	diskperf.exe
PID 3124 wrote to memory of 3696	3124	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	explorer.exe
PID 3124 wrote to memory of 3696	3124	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	explorer.exe
PID 3124 wrote to memory of 3696	3124	33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe	explorer.exe
PID 3696 wrote to memory of 2168	3696	explorer.exe	explorer.exe
PID 3696 wrote to memory of 2168	3696	explorer.exe	explorer.exe
PID 3696 wrote to memory of 2168	3696	explorer.exe	explorer.exe
PID 3696 wrote to memory of 2168	3696	explorer.exe	explorer.exe
PID 3696 wrote to memory of 2168	3696	explorer.exe	explorer.exe
PID 3696 wrote to memory of 2168	3696	explorer.exe	explorer.exe
PID 3696 wrote to memory of 2168	3696	explorer.exe	explorer.exe
PID 3696 wrote to memory of 2168	3696	explorer.exe	explorer.exe
PID 3696 wrote to memory of 1744	3696	explorer.exe	diskperf.exe
PID 3696 wrote to memory of 1744	3696	explorer.exe	diskperf.exe
PID 3696 wrote to memory of 1744	3696	explorer.exe	diskperf.exe
PID 3696 wrote to memory of 1744	3696	explorer.exe	diskperf.exe
PID 3696 wrote to memory of 1744	3696	explorer.exe	diskperf.exe
PID 2168 wrote to memory of 2848	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 2848	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 2848	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 764	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 764	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 764	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 2648	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 2648	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 2648	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3888	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3888	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3888	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 2612	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 2612	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 2612	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3788	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3788	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3788	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 1596	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 1596	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 1596	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3752	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3752	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3752	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3980	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3980	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3980	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 808	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 808	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 808	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3852	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3852	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 3852	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 2304	2168	explorer.exe	spoolsv.exe
PID 2168 wrote to memory of 2304	2168	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
"C:\Users\Admin\AppData\Local\Temp\33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3368

C:\Users\Admin\AppData\Local\Temp\33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe
"C:\Users\Admin\AppData\Local\Temp\33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3696

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6656

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6720

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6736

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6780

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6800

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6844

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6864

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6924

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6944

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6984

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7068

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3356

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7160

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6712

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6816

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6904

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6964

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7044

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7112

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7148

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7152

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6708

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6680

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4040

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6756

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2264

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6920

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2860

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2256

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2496

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7116

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3212

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7128

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7156

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1240

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7108

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4536

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2524

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2264

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2508

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4616

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3340

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4664

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:200

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4696

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3212

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2212

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1244

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7108

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4812

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4536

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4860

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3616

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4892

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4928

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4944

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4976

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3992

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3548

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2608

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:504

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3372

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4840

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5092

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2596

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2528

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1096

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4204

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4976

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3944

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4088

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1244

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2164

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3876

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5144

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5176

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5196

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1020

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5228

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4124

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5040

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4152

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4364

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4172

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5308

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2528

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4220

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1616

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5372

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5008

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5208

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4288

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4516

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5440

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5468

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5488

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5292

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5520

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5356

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2528

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6684

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1744

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1116

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
b9e4fdb4f1d1e50fb2b1bc6f8e648e91

SHA1
afe3e9370a5fb240ae917a9089fc07b6a54a7bd6

SHA256
33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5

SHA512
ff4f45aca5c634e0e64623c8dd1e5521b502713166c5cc01699d3eef24b39e3ae7238d8afa61457c418d242cadb9505ba09a7b50cfac55cf5fa4855c7bdb2cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
d917e4cf5b4719888d91330b3232028d

SHA1
c016d2f4cba1b13e9ff1529bea97262881870a94

SHA256
554268c2e21cc2088f66b519e12fd4c99de99c0b7950eb3587585940714379d4

SHA512
935716ab9c76c790047648838b1c0b19ab063b21e40ba140d18435c0aee4d9fd9f79a41bdf9429b4e7c8eb2f3621e359d21bd88488e3ed6cd192824cc0950fb0

Download Submit
C:\Windows\System\explorer.exe
MD5
d917e4cf5b4719888d91330b3232028d

SHA1
c016d2f4cba1b13e9ff1529bea97262881870a94

SHA256
554268c2e21cc2088f66b519e12fd4c99de99c0b7950eb3587585940714379d4

SHA512
935716ab9c76c790047648838b1c0b19ab063b21e40ba140d18435c0aee4d9fd9f79a41bdf9429b4e7c8eb2f3621e359d21bd88488e3ed6cd192824cc0950fb0

Download Submit
C:\Windows\System\explorer.exe
MD5
d917e4cf5b4719888d91330b3232028d

SHA1
c016d2f4cba1b13e9ff1529bea97262881870a94

SHA256
554268c2e21cc2088f66b519e12fd4c99de99c0b7950eb3587585940714379d4

SHA512
935716ab9c76c790047648838b1c0b19ab063b21e40ba140d18435c0aee4d9fd9f79a41bdf9429b4e7c8eb2f3621e359d21bd88488e3ed6cd192824cc0950fb0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
\??\c:\windows\system\explorer.exe
MD5
d917e4cf5b4719888d91330b3232028d

SHA1
c016d2f4cba1b13e9ff1529bea97262881870a94

SHA256
554268c2e21cc2088f66b519e12fd4c99de99c0b7950eb3587585940714379d4

SHA512
935716ab9c76c790047648838b1c0b19ab063b21e40ba140d18435c0aee4d9fd9f79a41bdf9429b4e7c8eb2f3621e359d21bd88488e3ed6cd192824cc0950fb0

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
ac4cd330fae3e216cd794cc9d33246d6

SHA1
25cebd006a1aa9eb81e9063a1a00564664f942b9

SHA256
8458948ca6dbebbe3c551c92b01678131456698e3343bedfdd153bd321c13b8f

SHA512
70b4af9aaf679eba634dd578db85c25b590c65a68cbe6a51326b176b3afe4b173ea005493c8b1c869dbfc41a49dbe2e5b30afc149e93b87bca75da5d5920bf6a

Download Submit
memory/184-226-0x0000000000000000-mapping.dmp

Download
memory/184-232-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/580-188-0x0000000000000000-mapping.dmp

Download
memory/580-196-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/740-197-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/740-194-0x0000000000000000-mapping.dmp

Download
memory/764-147-0x0000000000000000-mapping.dmp

Download
memory/764-150-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/808-172-0x0000000000000000-mapping.dmp

Download
memory/808-178-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/928-234-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/928-230-0x0000000000000000-mapping.dmp

Download
memory/1092-210-0x0000000000000000-mapping.dmp

Download
memory/1092-215-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1116-123-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1116-118-0x0000000000411000-mapping.dmp

Download
memory/1116-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1212-190-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1212-185-0x0000000000000000-mapping.dmp

Download
memory/1268-253-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1268-247-0x0000000000000000-mapping.dmp

Download
memory/1392-262-0x0000000000000000-mapping.dmp

Download
memory/1392-267-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1596-163-0x0000000000000000-mapping.dmp

Download
memory/1596-169-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1684-221-0x0000000000000000-mapping.dmp

Download
memory/1684-225-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1744-136-0x0000000000411000-mapping.dmp

Download
memory/2064-212-0x0000000000000000-mapping.dmp

Download
memory/2064-216-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2068-277-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2068-274-0x0000000000000000-mapping.dmp

Download
memory/2148-237-0x0000000000000000-mapping.dmp

Download
memory/2168-141-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2168-131-0x0000000000403670-mapping.dmp

Download
memory/2200-217-0x0000000000000000-mapping.dmp

Download
memory/2200-223-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2304-176-0x0000000000000000-mapping.dmp

Download
memory/2304-180-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2320-205-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2320-201-0x0000000000000000-mapping.dmp

Download
memory/2420-279-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2420-272-0x0000000000000000-mapping.dmp

Download
memory/2520-233-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2520-228-0x0000000000000000-mapping.dmp

Download
memory/2544-260-0x0000000000000000-mapping.dmp

Download
memory/2544-266-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2612-162-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2612-155-0x0000000000000000-mapping.dmp

Download
memory/2628-258-0x0000000000000000-mapping.dmp

Download
memory/2628-265-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2648-159-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2648-151-0x0000000000000000-mapping.dmp

Download
memory/2660-249-0x0000000000000000-mapping.dmp

Download
memory/2660-254-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2668-204-0x0000000000000000-mapping.dmp

Download
memory/2668-207-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2704-268-0x0000000000000000-mapping.dmp

Download
memory/2704-276-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2848-144-0x0000000000000000-mapping.dmp

Download
memory/2848-149-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2864-278-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2864-270-0x0000000000000000-mapping.dmp

Download
memory/3000-242-0x0000000000000000-mapping.dmp

Download
memory/3000-245-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3008-208-0x0000000000000000-mapping.dmp

Download
memory/3088-241-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3088-235-0x0000000000000000-mapping.dmp

Download
memory/3124-122-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3124-116-0x0000000000403670-mapping.dmp

Download
memory/3124-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3292-199-0x0000000000000000-mapping.dmp

Download
memory/3292-203-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3368-114-0x0000000000630000-0x000000000077A000-memory.dmp

Filesize
1.3MB

Download
memory/3440-181-0x0000000000000000-mapping.dmp

Download
memory/3440-187-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3484-239-0x0000000000000000-mapping.dmp

Download
memory/3484-246-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3600-189-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/3600-183-0x0000000000000000-mapping.dmp

Download
memory/3612-256-0x0000000000000000-mapping.dmp

Download
memory/3612-264-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3696-129-0x0000000000660000-0x00000000007AA000-memory.dmp

Filesize
1.3MB

Download
memory/3696-126-0x0000000000000000-mapping.dmp

Download
memory/3696-224-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3696-219-0x0000000000000000-mapping.dmp

Download
memory/3752-165-0x0000000000000000-mapping.dmp

Download
memory/3752-170-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/3788-160-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/3788-157-0x0000000000000000-mapping.dmp

Download
memory/3852-174-0x0000000000000000-mapping.dmp

Download
memory/3852-179-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3888-153-0x0000000000000000-mapping.dmp

Download
memory/3888-161-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/3980-167-0x0000000000000000-mapping.dmp

Download
memory/3980-171-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3996-255-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3996-251-0x0000000000000000-mapping.dmp

Download
memory/4072-192-0x0000000000000000-mapping.dmp

Download
memory/4108-286-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4108-280-0x0000000000000000-mapping.dmp

Download
memory/4132-282-0x0000000000000000-mapping.dmp

Download
memory/4132-287-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/4156-284-0x0000000000000000-mapping.dmp

Download
memory/4156-288-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4192-297-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4192-289-0x0000000000000000-mapping.dmp

Download
memory/4216-299-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4216-291-0x0000000000000000-mapping.dmp

Download
memory/4240-300-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4240-293-0x0000000000000000-mapping.dmp

Download
memory/4264-295-0x0000000000000000-mapping.dmp

Download
memory/4264-298-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/4304-307-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4304-301-0x0000000000000000-mapping.dmp

Download
memory/4328-309-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/4328-303-0x0000000000000000-mapping.dmp

Download
memory/4352-308-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4352-305-0x0000000000000000-mapping.dmp

Download
memory/4388-310-0x0000000000000000-mapping.dmp

Download
memory/4388-317-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4412-312-0x0000000000000000-mapping.dmp

Download
memory/4412-319-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/4436-314-0x0000000000000000-mapping.dmp

Download
memory/4460-316-0x0000000000000000-mapping.dmp

Download
memory/4460-318-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads