warzonerat | 8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce

Analysis

max time kernel
150s
max time network
125s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
Size

1.8MB
MD5

fab3488dffbdf592f61708e6814c1ef1
SHA1

94ec6b78f7949a3c5fe7c6078a5541235c53fa7c
SHA256

8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce
SHA512

c2d139ece8d85dbb78865234991a6849f137a76bd346539f38dff3b3b42be111403c9a44f23c6724a6dd1741baa69d6672b15480f4ed47d7f9886fcdf8ce6aa3

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
508	explorer.exe
3996	explorer.exe
1556	spoolsv.exe
3912	spoolsv.exe
1300	spoolsv.exe
1684	spoolsv.exe
3500	spoolsv.exe
2224	spoolsv.exe
3736	spoolsv.exe
2740	spoolsv.exe
2472	spoolsv.exe
2416	spoolsv.exe
1012	spoolsv.exe
3832	spoolsv.exe
2096	spoolsv.exe
3340	spoolsv.exe
3040	spoolsv.exe
1924	spoolsv.exe
820	spoolsv.exe
3348	spoolsv.exe
2180	spoolsv.exe
1240	spoolsv.exe
2496	spoolsv.exe
656	spoolsv.exe
3628	spoolsv.exe
2840	spoolsv.exe
2396	spoolsv.exe
4004	spoolsv.exe
580	spoolsv.exe
1224	spoolsv.exe
1692	spoolsv.exe
1352	spoolsv.exe
2736	spoolsv.exe
3644	spoolsv.exe
2232	spoolsv.exe
2228	spoolsv.exe
3744	spoolsv.exe
944	spoolsv.exe
1160	spoolsv.exe
3740	spoolsv.exe
2108	spoolsv.exe
2188	spoolsv.exe
2644	spoolsv.exe
4076	spoolsv.exe
1968	spoolsv.exe
2336	spoolsv.exe
2156	spoolsv.exe
3152	spoolsv.exe
1296	spoolsv.exe
4108	spoolsv.exe
4140	spoolsv.exe
4168	spoolsv.exe
4192	spoolsv.exe
4216	spoolsv.exe
4256	spoolsv.exe
4280	spoolsv.exe
4304	spoolsv.exe
4340	spoolsv.exe
4364	spoolsv.exe
4388	spoolsv.exe
4412	spoolsv.exe
4444	spoolsv.exe
4468	spoolsv.exe
4484	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 3744 set thread context of 3856	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 3744 set thread context of 3296	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	diskperf.exe
PID 508 set thread context of 3996	508	explorer.exe	explorer.exe
PID 1556 set thread context of 6644	1556	spoolsv.exe	spoolsv.exe
PID 1556 set thread context of 6668	1556	spoolsv.exe	diskperf.exe
PID 3912 set thread context of 6748	3912	spoolsv.exe	spoolsv.exe
PID 1300 set thread context of 6800	1300	spoolsv.exe	spoolsv.exe
PID 1300 set thread context of 6840	1300	spoolsv.exe	diskperf.exe
PID 1684 set thread context of 6864	1684	spoolsv.exe	spoolsv.exe
PID 3500 set thread context of 6908	3500	spoolsv.exe	spoolsv.exe
PID 3500 set thread context of 6924	3500	spoolsv.exe	diskperf.exe
PID 2224 set thread context of 6996	2224	spoolsv.exe	spoolsv.exe
PID 3736 set thread context of 7036	3736	spoolsv.exe	spoolsv.exe
PID 3736 set thread context of 7064	3736	spoolsv.exe	diskperf.exe
PID 2740 set thread context of 7120	2740	spoolsv.exe	spoolsv.exe
PID 2740 set thread context of 7136	2740	spoolsv.exe	diskperf.exe
PID 2472 set thread context of 1428	2472	spoolsv.exe	spoolsv.exe
PID 2472 set thread context of 3844	2472	spoolsv.exe	diskperf.exe
PID 2416 set thread context of 6648	2416	spoolsv.exe	spoolsv.exe
PID 2416 set thread context of 3616	2416	spoolsv.exe	diskperf.exe
PID 1012 set thread context of 6780	1012	spoolsv.exe	spoolsv.exe
PID 1012 set thread context of 6816	1012	spoolsv.exe	diskperf.exe
PID 3832 set thread context of 6852	3832	spoolsv.exe	spoolsv.exe
PID 3832 set thread context of 6804	3832	spoolsv.exe	diskperf.exe
PID 2096 set thread context of 6936	2096	spoolsv.exe	spoolsv.exe
PID 3340 set thread context of 6940	3340	spoolsv.exe	spoolsv.exe
PID 3340 set thread context of 6976	3340	spoolsv.exe	diskperf.exe
PID 3040 set thread context of 7044	3040	spoolsv.exe	spoolsv.exe
PID 1924 set thread context of 7008	1924	spoolsv.exe	spoolsv.exe
PID 1924 set thread context of 7040	1924	spoolsv.exe	diskperf.exe
PID 820 set thread context of 7160	820	spoolsv.exe	spoolsv.exe
PID 820 set thread context of 6700	820	spoolsv.exe	diskperf.exe
PID 3348 set thread context of 6660	3348	spoolsv.exe	spoolsv.exe
PID 2180 set thread context of 3984	2180	spoolsv.exe	spoolsv.exe
PID 1240 set thread context of 6824	1240	spoolsv.exe	spoolsv.exe
PID 1240 set thread context of 1792	1240	spoolsv.exe	diskperf.exe
PID 2496 set thread context of 6936	2496	spoolsv.exe	spoolsv.exe
PID 656 set thread context of 4320	656	spoolsv.exe	spoolsv.exe
PID 656 set thread context of 7080	656	spoolsv.exe	diskperf.exe
PID 3628 set thread context of 212	3628	spoolsv.exe	spoolsv.exe
PID 3628 set thread context of 1824	3628	spoolsv.exe	diskperf.exe
PID 2840 set thread context of 356	2840	spoolsv.exe	spoolsv.exe
PID 2840 set thread context of 3936	2840	spoolsv.exe	diskperf.exe
PID 2396 set thread context of 2648	2396	spoolsv.exe	spoolsv.exe
PID 2396 set thread context of 2448	2396	spoolsv.exe	diskperf.exe
PID 4004 set thread context of 2420	4004	spoolsv.exe	spoolsv.exe
PID 4004 set thread context of 4052	4004	spoolsv.exe	diskperf.exe
PID 580 set thread context of 3108	580	spoolsv.exe	spoolsv.exe
PID 1224 set thread context of 2964	1224	spoolsv.exe	spoolsv.exe
PID 1224 set thread context of 6824	1224	spoolsv.exe	diskperf.exe
PID 1692 set thread context of 4524	1692	spoolsv.exe	spoolsv.exe
PID 1692 set thread context of 6884	1692	spoolsv.exe	diskperf.exe
PID 1352 set thread context of 4564	1352	spoolsv.exe	spoolsv.exe
PID 1352 set thread context of 3032	1352	spoolsv.exe	diskperf.exe
PID 2736 set thread context of 908	2736	spoolsv.exe	spoolsv.exe
PID 2736 set thread context of 4624	2736	spoolsv.exe	diskperf.exe
PID 3644 set thread context of 2780	3644	spoolsv.exe	spoolsv.exe
PID 3644 set thread context of 4652	3644	spoolsv.exe	diskperf.exe
PID 2232 set thread context of 1332	2232	spoolsv.exe	spoolsv.exe
PID 2228 set thread context of 1544	2228	spoolsv.exe	spoolsv.exe
PID 2228 set thread context of 4428	2228	spoolsv.exe	diskperf.exe
PID 3744 set thread context of 4496	3744	spoolsv.exe	spoolsv.exe
PID 3744 set thread context of 3984	3744	spoolsv.exe	diskperf.exe
PID 944 set thread context of 4748	944	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 5 IoCs

Processes:

8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exeexplorer.exe

pid	process
3856	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
3856	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3996 explorer.exe

pid	process
3996	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
3856	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
3856	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
3996	explorer.exe
6644	spoolsv.exe
6644	spoolsv.exe
6748	spoolsv.exe
6748	spoolsv.exe
6800	spoolsv.exe
6800	spoolsv.exe
6864	spoolsv.exe
6908	spoolsv.exe
6864	spoolsv.exe
6908	spoolsv.exe
6996	spoolsv.exe
6996	spoolsv.exe
7036	spoolsv.exe
7036	spoolsv.exe
7120	spoolsv.exe
7120	spoolsv.exe
1428	spoolsv.exe
1428	spoolsv.exe
6648	spoolsv.exe
6648	spoolsv.exe
6780	spoolsv.exe
6780	spoolsv.exe
6852	spoolsv.exe
6852	spoolsv.exe
6936	spoolsv.exe
6936	spoolsv.exe
6940	spoolsv.exe
6940	spoolsv.exe
7044	spoolsv.exe
7044	spoolsv.exe
7008	spoolsv.exe
7008	spoolsv.exe
7160	spoolsv.exe
7160	spoolsv.exe
6660	spoolsv.exe
6660	spoolsv.exe
3984	spoolsv.exe
3984	spoolsv.exe
6824	spoolsv.exe
6824	spoolsv.exe
6936	spoolsv.exe
6936	spoolsv.exe
4320	spoolsv.exe
4320	spoolsv.exe
212	spoolsv.exe
212	spoolsv.exe
356	spoolsv.exe
356	spoolsv.exe
2648	spoolsv.exe
2648	spoolsv.exe
2420	spoolsv.exe
2420	spoolsv.exe
3108	spoolsv.exe
3108	spoolsv.exe
2964	spoolsv.exe
2964	spoolsv.exe
4524	spoolsv.exe
4524	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3744 wrote to memory of 3856	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 3744 wrote to memory of 3856	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 3744 wrote to memory of 3856	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 3744 wrote to memory of 3856	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 3744 wrote to memory of 3856	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 3744 wrote to memory of 3856	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 3744 wrote to memory of 3856	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 3744 wrote to memory of 3856	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 3744 wrote to memory of 3296	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	diskperf.exe
PID 3744 wrote to memory of 3296	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	diskperf.exe
PID 3744 wrote to memory of 3296	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	diskperf.exe
PID 3744 wrote to memory of 3296	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	diskperf.exe
PID 3744 wrote to memory of 3296	3744	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	diskperf.exe
PID 3856 wrote to memory of 508	3856	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	explorer.exe
PID 3856 wrote to memory of 508	3856	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	explorer.exe
PID 3856 wrote to memory of 508	3856	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	explorer.exe
PID 508 wrote to memory of 3996	508	explorer.exe	explorer.exe
PID 508 wrote to memory of 3996	508	explorer.exe	explorer.exe
PID 508 wrote to memory of 3996	508	explorer.exe	explorer.exe
PID 508 wrote to memory of 3996	508	explorer.exe	explorer.exe
PID 508 wrote to memory of 3996	508	explorer.exe	explorer.exe
PID 508 wrote to memory of 3996	508	explorer.exe	explorer.exe
PID 508 wrote to memory of 3996	508	explorer.exe	explorer.exe
PID 508 wrote to memory of 3996	508	explorer.exe	explorer.exe
PID 508 wrote to memory of 3292	508	explorer.exe	diskperf.exe
PID 508 wrote to memory of 3292	508	explorer.exe	diskperf.exe
PID 508 wrote to memory of 3292	508	explorer.exe	diskperf.exe
PID 3996 wrote to memory of 1556	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 1556	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 1556	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 3912	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 3912	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 3912	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 1300	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 1300	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 1300	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 1684	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 1684	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 1684	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 3500	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 3500	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 3500	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 2224	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 2224	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 2224	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 3736	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 3736	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 3736	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 2740	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 2740	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 2740	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 2472	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 2472	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 2472	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 2416	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 2416	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 2416	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 1012	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 1012	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 1012	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 3832	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 3832	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 3832	3996	explorer.exe	spoolsv.exe
PID 3996 wrote to memory of 2096	3996	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
"C:\Users\Admin\AppData\Local\Temp\8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
"C:\Users\Admin\AppData\Local\Temp\8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3856

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:508

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6644

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6732

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6748

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6800

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6864

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6968

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6908

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6996

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7052

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7036

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7120

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2268

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6648

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6780

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6788

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6852

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3352

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6936

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3612

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6940

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2700

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7044

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7008

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7128

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7160

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7132

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6660

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:348

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3984

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4236

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1544

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6824

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2152

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6936

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4320

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:212

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:356

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1384

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2648

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2420

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4460

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3108

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4476

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2964

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4524

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4544

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4564

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4584

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:908

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2780

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1332

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3960

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2228

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4496

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4748

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4300

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4524

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4104

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7108

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4884

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1056

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5476

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4900

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4932

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2648

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4964

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:6772

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4480

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4496

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1516

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1612

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5080

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5108

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4852

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2176

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4252

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:516

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4292

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3404

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4352

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4992

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4456

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:912

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3972

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2720

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1184

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5228

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2172

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5276

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3444

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4292

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5332

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5344

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5364

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3608

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5080

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5412

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5192

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4284

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4468

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4484

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5464

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6692

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:3292

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:3296

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
fab3488dffbdf592f61708e6814c1ef1

SHA1
94ec6b78f7949a3c5fe7c6078a5541235c53fa7c

SHA256
8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce

SHA512
c2d139ece8d85dbb78865234991a6849f137a76bd346539f38dff3b3b42be111403c9a44f23c6724a6dd1741baa69d6672b15480f4ed47d7f9886fcdf8ce6aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
dff7f4a039b8f07d571f535cfd65ab41

SHA1
1eebe05ab0a22878ac1a6a0e39a95e49c0e78498

SHA256
c8a3893881b64bfb83b295bbaf3ade3ebb5b233079990d1322bb12fcffa97277

SHA512
3312099030895d2b43bab4539c3fd1dfd789ea0f7316975f46e39782f6d30f5b01138e1ec7768343f113a4f2e49befa4454accbefd29e7cb198598a188138716

Download Submit
C:\Windows\System\explorer.exe
MD5
dff7f4a039b8f07d571f535cfd65ab41

SHA1
1eebe05ab0a22878ac1a6a0e39a95e49c0e78498

SHA256
c8a3893881b64bfb83b295bbaf3ade3ebb5b233079990d1322bb12fcffa97277

SHA512
3312099030895d2b43bab4539c3fd1dfd789ea0f7316975f46e39782f6d30f5b01138e1ec7768343f113a4f2e49befa4454accbefd29e7cb198598a188138716

Download Submit
C:\Windows\System\explorer.exe
MD5
dff7f4a039b8f07d571f535cfd65ab41

SHA1
1eebe05ab0a22878ac1a6a0e39a95e49c0e78498

SHA256
c8a3893881b64bfb83b295bbaf3ade3ebb5b233079990d1322bb12fcffa97277

SHA512
3312099030895d2b43bab4539c3fd1dfd789ea0f7316975f46e39782f6d30f5b01138e1ec7768343f113a4f2e49befa4454accbefd29e7cb198598a188138716

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
\??\c:\windows\system\explorer.exe
MD5
dff7f4a039b8f07d571f535cfd65ab41

SHA1
1eebe05ab0a22878ac1a6a0e39a95e49c0e78498

SHA256
c8a3893881b64bfb83b295bbaf3ade3ebb5b233079990d1322bb12fcffa97277

SHA512
3312099030895d2b43bab4539c3fd1dfd789ea0f7316975f46e39782f6d30f5b01138e1ec7768343f113a4f2e49befa4454accbefd29e7cb198598a188138716

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
3732a48294348f363e38cff1b3c7e696

SHA1
2613ea02a09224c81529cb81f0eac578433650ef

SHA256
deecbdd4779b6aeb9e231eacc085d2a568e0051b0cf71faacb8f0e2a18f0c86d

SHA512
8927da42ba23eee7f5f12fac27712ebb16c98c604fa39e18111e991bacbbffcfa4dfb141d08d0699c534807ccb557c79fd33ac7e78ee5744ac96b3af77e44465

Download Submit
memory/508-129-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/508-124-0x0000000000000000-mapping.dmp

Download
memory/580-224-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/580-217-0x0000000000000000-mapping.dmp

Download
memory/656-204-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/656-201-0x0000000000000000-mapping.dmp

Download
memory/820-193-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/820-187-0x0000000000000000-mapping.dmp

Download
memory/944-245-0x0000000000000000-mapping.dmp

Download
memory/1012-174-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1012-168-0x0000000000000000-mapping.dmp

Download
memory/1160-247-0x0000000000000000-mapping.dmp

Download
memory/1160-252-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1224-219-0x0000000000000000-mapping.dmp

Download
memory/1224-225-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1240-197-0x0000000000000000-mapping.dmp

Download
memory/1240-203-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1296-277-0x0000000000000000-mapping.dmp

Download
memory/1296-282-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1300-153-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1300-145-0x0000000000000000-mapping.dmp

Download
memory/1352-227-0x0000000000000000-mapping.dmp

Download
memory/1352-233-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1556-142-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1556-139-0x0000000000000000-mapping.dmp

Download
memory/1684-147-0x0000000000000000-mapping.dmp

Download
memory/1684-154-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1692-226-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1692-221-0x0000000000000000-mapping.dmp

Download
memory/1924-191-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1924-185-0x0000000000000000-mapping.dmp

Download
memory/1968-266-0x0000000000000000-mapping.dmp

Download
memory/1968-272-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2096-182-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/2096-176-0x0000000000000000-mapping.dmp

Download
memory/2108-262-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2108-254-0x0000000000000000-mapping.dmp

Download
memory/2156-270-0x0000000000000000-mapping.dmp

Download
memory/2156-273-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2180-195-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2180-192-0x0000000000000000-mapping.dmp

Download
memory/2188-264-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2188-256-0x0000000000000000-mapping.dmp

Download
memory/2224-155-0x0000000000000000-mapping.dmp

Download
memory/2224-161-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2228-243-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2228-238-0x0000000000000000-mapping.dmp

Download
memory/2232-236-0x0000000000000000-mapping.dmp

Download
memory/2232-242-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2336-268-0x0000000000000000-mapping.dmp

Download
memory/2336-274-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2396-214-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2396-210-0x0000000000000000-mapping.dmp

Download
memory/2416-172-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2416-166-0x0000000000000000-mapping.dmp

Download
memory/2472-170-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2472-164-0x0000000000000000-mapping.dmp

Download
memory/2496-199-0x0000000000000000-mapping.dmp

Download
memory/2496-205-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2644-265-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2644-258-0x0000000000000000-mapping.dmp

Download
memory/2736-234-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2736-229-0x0000000000000000-mapping.dmp

Download
memory/2740-163-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/2740-159-0x0000000000000000-mapping.dmp

Download
memory/2840-213-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2840-208-0x0000000000000000-mapping.dmp

Download
memory/3040-184-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3040-180-0x0000000000000000-mapping.dmp

Download
memory/3152-275-0x0000000000000000-mapping.dmp

Download
memory/3152-281-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3296-118-0x0000000000411000-mapping.dmp

Download
memory/3296-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3296-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3340-178-0x0000000000000000-mapping.dmp

Download
memory/3340-183-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3348-196-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/3348-189-0x0000000000000000-mapping.dmp

Download
memory/3500-149-0x0000000000000000-mapping.dmp

Download
memory/3500-152-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3628-212-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3628-206-0x0000000000000000-mapping.dmp

Download
memory/3644-235-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/3644-231-0x0000000000000000-mapping.dmp

Download
memory/3736-157-0x0000000000000000-mapping.dmp

Download
memory/3740-249-0x0000000000000000-mapping.dmp

Download
memory/3740-253-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3744-114-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/3744-240-0x0000000000000000-mapping.dmp

Download
memory/3744-244-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3832-171-0x0000000000000000-mapping.dmp

Download
memory/3832-175-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/3856-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3856-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3856-116-0x0000000000403670-mapping.dmp

Download
memory/3912-143-0x0000000000000000-mapping.dmp

Download
memory/3912-151-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3996-131-0x0000000000403670-mapping.dmp

Download
memory/4004-215-0x0000000000000000-mapping.dmp

Download
memory/4004-223-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4076-263-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4076-260-0x0000000000000000-mapping.dmp

Download
memory/4108-279-0x0000000000000000-mapping.dmp

Download
memory/4140-292-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/4140-283-0x0000000000000000-mapping.dmp

Download
memory/4168-286-0x0000000000000000-mapping.dmp

Download
memory/4168-294-0x0000000000570000-0x000000000061E000-memory.dmp

Filesize
696KB

Download
memory/4192-295-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4192-288-0x0000000000000000-mapping.dmp

Download
memory/4216-293-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4216-290-0x0000000000000000-mapping.dmp

Download
memory/4256-296-0x0000000000000000-mapping.dmp

Download
memory/4256-302-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/4280-303-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/4280-298-0x0000000000000000-mapping.dmp

Download
memory/4304-304-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4304-300-0x0000000000000000-mapping.dmp

Download
memory/4340-305-0x0000000000000000-mapping.dmp

Download
memory/4340-312-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4364-307-0x0000000000000000-mapping.dmp

Download
memory/4364-313-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4388-309-0x0000000000000000-mapping.dmp

Download
memory/4388-314-0x0000000000620000-0x000000000076A000-memory.dmp

Filesize
1.3MB

Download
memory/4412-311-0x0000000000000000-mapping.dmp

Download
memory/4412-316-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4444-315-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads