warzonerat | 02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
Size

2.9MB
MD5

60a69e78e37de9936c7d7274c67abda4
SHA1

7687addc4a89ced80ce7dd372422b7d91ee8d4f3
SHA256

02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d
SHA512

754ab07ea26d0512422de8b3375be68366fc7def4511b8313db08d38f424eaf9f857aea46900c1e9e6c61418d15571762bdc5adb1fa6aec5e08256f425522464
SSDEEP

24576:ATU7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHn:ATU7AAmw4gxeOw46fUbNecCCFbNecQ

Score

10^/10

warzonerat evasion infostealer persistence rat upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Detects executables packed with ASPack 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1700-2-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1700-9-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1700-10-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1700-12-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1700-6-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1700-4-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1700-8-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1700-3-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1700-5-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1700-13-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1700-25-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1700-30-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2288-50-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2288-49-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2288-47-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2288-46-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2288-48-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2288-45-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2288-55-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2288-74-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2288-68-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3200-91-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3200-88-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3200-89-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3200-87-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3200-86-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3200-90-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4400-106-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2736-116-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2736-115-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2736-119-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2736-117-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2736-114-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2736-118-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2628-131-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2628-125-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2628-124-0x0000000000400000-0x0000000001990000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/5008-142-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3324-156-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2620-168-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4432-183-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4076-198-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3468-210-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2416-225-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/924-240-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1184-253-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3272-268-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4084-282-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3844-290-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4516-305-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3524-319-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4564-335-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2408-348-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3952-359-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3764-371-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/836-383-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4912-395-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1572-408-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2140-421-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/116-433-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2764-446-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2916-460-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3200-504-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3324-601-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack

UPX dump on OEP (original entry point) 37 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1140-0-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/1140-11-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
C:\Windows\System\explorer.exe	UPX
behavioral2/memory/3568-51-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	UPX
C:\Windows\System\spoolsv.exe	UPX
behavioral2/memory/2000-80-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/2828-95-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/4192-108-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/2580-121-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/3580-134-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/3248-144-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/2096-169-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/5032-171-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/5032-184-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/4852-186-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/1972-211-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/4612-213-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/3328-227-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/2356-242-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/4004-256-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/4812-270-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/184-284-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/3128-293-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/2936-308-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/2156-333-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/4380-337-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/4056-350-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/1300-360-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/2984-372-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/2452-384-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/3644-396-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/1332-409-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/4812-422-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/2388-434-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/3972-447-0x0000000000400000-0x0000000000446000-memory.dmp	UPX
behavioral2/memory/3380-461-0x0000000000400000-0x0000000000446000-memory.dmp	UPX

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 38 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3568	explorer.exe
2288	explorer.exe
516	explorer.exe
2000	spoolsv.exe
3200	spoolsv.exe
2828	spoolsv.exe
4400	spoolsv.exe
4192	spoolsv.exe
2736	spoolsv.exe
2580	spoolsv.exe
2628	spoolsv.exe
3580	spoolsv.exe
5008	spoolsv.exe
3248	spoolsv.exe
3324	spoolsv.exe
2096	spoolsv.exe
2620	spoolsv.exe
5032	spoolsv.exe
4432	spoolsv.exe
4852	spoolsv.exe
4076	spoolsv.exe
1972	spoolsv.exe
3468	spoolsv.exe
4612	spoolsv.exe
2416	spoolsv.exe
3328	spoolsv.exe
924	spoolsv.exe
2356	spoolsv.exe
1184	spoolsv.exe
4004	spoolsv.exe
3272	spoolsv.exe
4812	spoolsv.exe
4084	spoolsv.exe
184	spoolsv.exe
3844	spoolsv.exe
3128	spoolsv.exe
4516	spoolsv.exe
2936	spoolsv.exe
3524	spoolsv.exe
2156	spoolsv.exe
4564	spoolsv.exe
4380	spoolsv.exe
2408	spoolsv.exe
4056	spoolsv.exe
3952	spoolsv.exe
1300	spoolsv.exe
3764	spoolsv.exe
2984	spoolsv.exe
836	spoolsv.exe
2452	spoolsv.exe
4912	spoolsv.exe
3644	spoolsv.exe
1572	spoolsv.exe
1332	spoolsv.exe
2140	spoolsv.exe
4812	spoolsv.exe
116	spoolsv.exe
2388	spoolsv.exe
2764	spoolsv.exe
3972	spoolsv.exe
3540	spoolsv.exe
3176	spoolsv.exe
3100	spoolsv.exe
2936	spoolsv.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1140-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1140-11-0x0000000000400000-0x0000000000446000-memory.dmp	upx
C:\Windows\System\explorer.exe	upx
behavioral2/memory/3568-51-0x0000000000400000-0x0000000000446000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	upx
C:\Windows\System\spoolsv.exe	upx
behavioral2/memory/2000-80-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2828-95-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4192-108-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2580-121-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3580-134-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3248-144-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2096-169-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/5032-171-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/5032-184-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4852-186-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1972-211-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4612-213-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3328-227-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2356-242-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4004-256-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4812-270-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/184-284-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3128-293-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2936-308-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2156-333-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4380-337-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4056-350-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1300-360-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2984-372-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2452-384-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3644-396-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1332-409-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4812-422-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2388-434-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3972-447-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3380-461-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exe02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 56 IoCs

Processes:

02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1140 set thread context of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1700 set thread context of 5056	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1700 set thread context of 640	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	diskperf.exe
PID 3568 set thread context of 2288	3568	explorer.exe	explorer.exe
PID 2288 set thread context of 516	2288	explorer.exe	explorer.exe
PID 2288 set thread context of 2296	2288	explorer.exe	diskperf.exe
PID 2000 set thread context of 3200	2000	spoolsv.exe	spoolsv.exe
PID 2828 set thread context of 4400	2828	spoolsv.exe	spoolsv.exe
PID 4192 set thread context of 2736	4192	spoolsv.exe	spoolsv.exe
PID 2580 set thread context of 2628	2580	spoolsv.exe	spoolsv.exe
PID 3580 set thread context of 5008	3580	spoolsv.exe	spoolsv.exe
PID 3248 set thread context of 3324	3248	spoolsv.exe	spoolsv.exe
PID 2096 set thread context of 2620	2096	spoolsv.exe	spoolsv.exe
PID 5032 set thread context of 4432	5032	spoolsv.exe	spoolsv.exe
PID 4852 set thread context of 4076	4852	spoolsv.exe	spoolsv.exe
PID 1972 set thread context of 3468	1972	spoolsv.exe	spoolsv.exe
PID 4612 set thread context of 2416	4612	spoolsv.exe	spoolsv.exe
PID 3328 set thread context of 924	3328	spoolsv.exe	spoolsv.exe
PID 2356 set thread context of 1184	2356	spoolsv.exe	spoolsv.exe
PID 4004 set thread context of 3272	4004	spoolsv.exe	spoolsv.exe
PID 4812 set thread context of 4084	4812	spoolsv.exe	spoolsv.exe
PID 184 set thread context of 3844	184	spoolsv.exe	spoolsv.exe
PID 3128 set thread context of 4516	3128	spoolsv.exe	spoolsv.exe
PID 2936 set thread context of 3524	2936	spoolsv.exe	spoolsv.exe
PID 2156 set thread context of 4564	2156	spoolsv.exe	spoolsv.exe
PID 4380 set thread context of 2408	4380	spoolsv.exe	spoolsv.exe
PID 4056 set thread context of 3952	4056	spoolsv.exe	spoolsv.exe
PID 1300 set thread context of 3764	1300	spoolsv.exe	spoolsv.exe
PID 2984 set thread context of 836	2984	spoolsv.exe	spoolsv.exe
PID 2452 set thread context of 4912	2452	spoolsv.exe	spoolsv.exe
PID 3644 set thread context of 1572	3644	spoolsv.exe	spoolsv.exe
PID 1332 set thread context of 2140	1332	spoolsv.exe	spoolsv.exe
PID 4812 set thread context of 116	4812	spoolsv.exe	spoolsv.exe
PID 2388 set thread context of 2764	2388	spoolsv.exe	spoolsv.exe
PID 3972 set thread context of 2916	3972	spoolsv.exe	spoolsv.exe
PID 3380 set thread context of 764	3380	spoolsv.exe	spoolsv.exe
PID 3100 set thread context of 2168	3100	spoolsv.exe	spoolsv.exe
PID 3144 set thread context of 3180	3144	spoolsv.exe	spoolsv.exe
PID 3200 set thread context of 1296	3200	spoolsv.exe	spoolsv.exe
PID 3200 set thread context of 4636	3200	spoolsv.exe	diskperf.exe
PID 4080 set thread context of 4092	4080	spoolsv.exe	spoolsv.exe
PID 2944 set thread context of 1632	2944	explorer.exe	explorer.exe
PID 1736 set thread context of 3384	1736	spoolsv.exe	spoolsv.exe
PID 2392 set thread context of 3776	2392	spoolsv.exe	spoolsv.exe
PID 1852 set thread context of 3796	1852	spoolsv.exe	spoolsv.exe
PID 3656 set thread context of 3304	3656	spoolsv.exe	spoolsv.exe
PID 3324 set thread context of 4168	3324	spoolsv.exe	spoolsv.exe
PID 3324 set thread context of 3768	3324	spoolsv.exe	diskperf.exe
PID 2620 set thread context of 3056	2620	spoolsv.exe	spoolsv.exe
PID 2620 set thread context of 2472	2620	spoolsv.exe	diskperf.exe
PID 4400 set thread context of 4936	4400	spoolsv.exe	spoolsv.exe
PID 4400 set thread context of 1676	4400	spoolsv.exe	diskperf.exe
PID 5008 set thread context of 3380	5008	spoolsv.exe	spoolsv.exe
PID 5008 set thread context of 3204	5008	spoolsv.exe	diskperf.exe
PID 2736 set thread context of 4288	2736	spoolsv.exe	spoolsv.exe
PID 4432 set thread context of 3416	4432	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 47 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3000 3176 WerFault.exe spoolsv.exe
4080 1908 WerFault.exe spoolsv.exe
5084 1576 WerFault.exe spoolsv.exe

pid	pid_target	process	target process
3000	3176	WerFault.exe	spoolsv.exe
4080	1908	WerFault.exe	spoolsv.exe
5084	1576	WerFault.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
5056	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
5056	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
3568	explorer.exe
3568	explorer.exe
2000	spoolsv.exe
2000	spoolsv.exe
516	explorer.exe
516	explorer.exe
516	explorer.exe
516	explorer.exe
2828	spoolsv.exe
2828	spoolsv.exe
516	explorer.exe
516	explorer.exe
4192	spoolsv.exe
4192	spoolsv.exe
516	explorer.exe
516	explorer.exe
2580	spoolsv.exe
2580	spoolsv.exe
516	explorer.exe
516	explorer.exe
3580	spoolsv.exe
3580	spoolsv.exe
516	explorer.exe
516	explorer.exe
3248	spoolsv.exe
3248	spoolsv.exe
516	explorer.exe
516	explorer.exe
2096	spoolsv.exe
2096	spoolsv.exe
516	explorer.exe
516	explorer.exe
5032	spoolsv.exe
5032	spoolsv.exe
516	explorer.exe
516	explorer.exe
4852	spoolsv.exe
4852	spoolsv.exe
516	explorer.exe
516	explorer.exe
1972	spoolsv.exe
1972	spoolsv.exe
516	explorer.exe
516	explorer.exe
4612	spoolsv.exe
4612	spoolsv.exe
516	explorer.exe
516	explorer.exe
3328	spoolsv.exe
3328	spoolsv.exe
516	explorer.exe
516	explorer.exe
2356	spoolsv.exe
2356	spoolsv.exe
516	explorer.exe
516	explorer.exe
4004	spoolsv.exe
4004	spoolsv.exe
516	explorer.exe
516	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
5056	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
5056	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
3568	explorer.exe
3568	explorer.exe
516	explorer.exe
516	explorer.exe
2000	spoolsv.exe
2000	spoolsv.exe
516	explorer.exe
516	explorer.exe
2828	spoolsv.exe
2828	spoolsv.exe
4192	spoolsv.exe
4192	spoolsv.exe
2580	spoolsv.exe
2580	spoolsv.exe
3580	spoolsv.exe
3580	spoolsv.exe
3248	spoolsv.exe
3248	spoolsv.exe
2096	spoolsv.exe
2096	spoolsv.exe
5032	spoolsv.exe
5032	spoolsv.exe
4852	spoolsv.exe
4852	spoolsv.exe
1972	spoolsv.exe
1972	spoolsv.exe
4612	spoolsv.exe
4612	spoolsv.exe
3328	spoolsv.exe
3328	spoolsv.exe
2356	spoolsv.exe
2356	spoolsv.exe
4004	spoolsv.exe
4004	spoolsv.exe
4812	spoolsv.exe
4812	spoolsv.exe
184	spoolsv.exe
184	spoolsv.exe
3128	spoolsv.exe
3128	spoolsv.exe
2936	spoolsv.exe
2936	spoolsv.exe
2156	spoolsv.exe
2156	spoolsv.exe
4380	spoolsv.exe
4380	spoolsv.exe
4056	spoolsv.exe
4056	spoolsv.exe
1300	spoolsv.exe
1300	spoolsv.exe
2984	spoolsv.exe
2984	spoolsv.exe
2452	spoolsv.exe
2452	spoolsv.exe
3644	spoolsv.exe
3644	spoolsv.exe
1332	spoolsv.exe
1332	spoolsv.exe
4812	spoolsv.exe
4812	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exeexplorer.exe

description	pid	process	target process
PID 1140 wrote to memory of 3540	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	cmd.exe
PID 1140 wrote to memory of 3540	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	cmd.exe
PID 1140 wrote to memory of 3540	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	cmd.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1140 wrote to memory of 1700	1140	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1700 wrote to memory of 5056	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1700 wrote to memory of 5056	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1700 wrote to memory of 5056	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1700 wrote to memory of 5056	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1700 wrote to memory of 5056	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1700 wrote to memory of 5056	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1700 wrote to memory of 5056	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1700 wrote to memory of 5056	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
PID 1700 wrote to memory of 640	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	diskperf.exe
PID 1700 wrote to memory of 640	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	diskperf.exe
PID 1700 wrote to memory of 640	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	diskperf.exe
PID 1700 wrote to memory of 640	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	diskperf.exe
PID 1700 wrote to memory of 640	1700	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	diskperf.exe
PID 5056 wrote to memory of 3568	5056	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	explorer.exe
PID 5056 wrote to memory of 3568	5056	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	explorer.exe
PID 5056 wrote to memory of 3568	5056	02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe	explorer.exe
PID 3568 wrote to memory of 548	3568	explorer.exe	cmd.exe
PID 3568 wrote to memory of 548	3568	explorer.exe	cmd.exe
PID 3568 wrote to memory of 548	3568	explorer.exe	cmd.exe
PID 3568 wrote to memory of 2288	3568	explorer.exe	explorer.exe
PID 3568 wrote to memory of 2288	3568	explorer.exe	explorer.exe
PID 3568 wrote to memory of 2288	3568	explorer.exe	explorer.exe
PID 3568 wrote to memory of 2288	3568	explorer.exe	explorer.exe
PID 3568 wrote to memory of 2288	3568	explorer.exe	explorer.exe
PID 3568 wrote to memory of 2288	3568	explorer.exe	explorer.exe
PID 3568 wrote to memory of 2288	3568	explorer.exe	explorer.exe
PID 3568 wrote to memory of 2288	3568	explorer.exe	explorer.exe
PID 3568 wrote to memory of 2288	3568	explorer.exe	explorer.exe
PID 3568 wrote to memory of 2288	3568	explorer.exe	explorer.exe
PID 3568 wrote to memory of 2288	3568	explorer.exe	explorer.exe
PID 3568 wrote to memory of 2288	3568	explorer.exe	explorer.exe
PID 3568 wrote to memory of 2288	3568	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
"C:\Users\Admin\AppData\Local\Temp\02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:3540

C:\Users\Admin\AppData\Local\Temp\02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
C:\Users\Admin\AppData\Local\Temp\02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
C:\Users\Admin\AppData\Local\Temp\02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5056

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:548

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2288

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1296

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:4464

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3736

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1588

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:5104

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:5044

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4532

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2112

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4964

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4832

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:5076

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3336

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1116

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2392

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3328

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1592

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:232

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4388

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4976

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:968

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2452

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4476

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1288

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2008

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1016

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1616

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4060

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2216

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2584

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3552

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1020

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2664

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:884

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1112

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4712

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1028

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3828

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3480

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3604

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4808

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4860

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2364

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3796

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:5024

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3096

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2516

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2404

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2652

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4680

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4924

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4112

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4992

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:5052

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4136

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4088

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4716

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:980

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1900

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4336

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1920

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2184

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4168

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1716

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4428

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4812

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2016

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4528

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4952

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4620

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4996

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3548

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2368

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1516

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4500

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3116

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2708

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:4520

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:464

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1584

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1000

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3168

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:4636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:4936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:4288

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3380

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:4168

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:3040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:3756

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2552

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3056

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3416

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1540

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:64

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:64

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:64

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 504
8⤵
- Program crash
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 504
8⤵
- Program crash
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 504
8⤵
- Program crash
PID:5084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2296

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3176 -ip 3176
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1576 -ip 1576
1⤵
PID:4492

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
60a69e78e37de9936c7d7274c67abda4

SHA1
7687addc4a89ced80ce7dd372422b7d91ee8d4f3

SHA256
02cc89bb7c64919d3c27e9b8ac637e847aca5c68c2b990f33a800445a3f0164d

SHA512
754ab07ea26d0512422de8b3375be68366fc7def4511b8313db08d38f424eaf9f857aea46900c1e9e6c61418d15571762bdc5adb1fa6aec5e08256f425522464

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.9MB

MD5
c25d4ab65b1eebe7f5b43c0f6cc683bb

SHA1
92d9c9ecc0878728e963b3da0021659895a8fa46

SHA256
28beb4192da8c3665a2e33f9ee05f4d8a13cb035ffa22e87efa22263eb9850f0

SHA512
5a00959f40eeeb69f47c56716b5a9991de157cbc7cc60ac00b9c03b687c83e36ab7a4091d9fcf500ff52e3301d1498d4a2fa2a56636212d4373b32703a70e42d

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.9MB

MD5
579faad971b23b82dff5a6d7dd92753e

SHA1
6d01593fa43f02d4ebafa36ac63f8174d2e9dc49

SHA256
1f82e78e3ef6362c948b4b730a27284c839503af5e9bcb4d07632aeab91ebbc9

SHA512
093cc765f005d8688646ba33ff16b53cc1e62022c20976a272f3f2c425ba129e56d0460e102c32be6d4619e8d11e7f5c7ef11192b23bf4486ce425b31963e3da

Download Submit
memory/116-433-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/184-284-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/640-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/640-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/640-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/836-383-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/924-240-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1140-11-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1140-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1184-253-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1300-360-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1332-409-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1572-408-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1700-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1700-4-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1700-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1700-15-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1700-13-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1700-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1700-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1700-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1700-9-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1700-30-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1700-6-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1700-7-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1700-12-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1700-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1972-211-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2000-80-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2096-169-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2140-421-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2156-333-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2288-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2288-74-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2288-50-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2288-49-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2288-47-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2288-55-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2288-48-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2288-68-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2288-45-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2356-242-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2388-434-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2408-348-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2416-225-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2452-384-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2580-121-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2620-168-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2620-621-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2628-131-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2628-125-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2628-124-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2736-119-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2736-665-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2736-118-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2736-114-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2736-117-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2736-115-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2736-116-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2764-446-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2828-95-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2916-460-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2936-308-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2984-372-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3128-293-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3200-89-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3200-504-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3200-91-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3200-90-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3200-86-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3200-88-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3200-87-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3248-144-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3272-268-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3324-601-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3324-156-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3328-227-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3380-461-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3468-210-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3524-319-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3568-51-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3580-134-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3644-396-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3764-371-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3844-290-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3952-359-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3972-447-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4004-256-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4056-350-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4076-690-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4076-198-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4084-282-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4192-108-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4380-337-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4400-634-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4400-106-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4432-183-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4432-667-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4516-305-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4564-335-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4612-213-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4812-422-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4812-270-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4852-186-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4912-395-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5008-142-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5008-644-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5032-184-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5032-171-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5056-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5056-54-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5056-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download