warzonerat | 0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7v20210410
submitted
04-05-2021 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
Size

1.8MB
MD5

b9e080a7ef5d11b902d97b3a7f9b742f
SHA1

d96ec752a89a4024e022fdb5bc5eb187216b14c2
SHA256

0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f
SHA512

c9c710478fdd3e02d9b6cd5dbfc795326ebaebfe372e15247b811072adb62dd06cf777c5878df40686f857aae2c772c19bc33affbffa20866b164a2054b9caaa

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1684	explorer.exe
2036	explorer.exe
1492	spoolsv.exe
1512	spoolsv.exe
1484	spoolsv.exe
1676	spoolsv.exe
1604	spoolsv.exe
1704	spoolsv.exe
1944	spoolsv.exe
1824	spoolsv.exe
1396	spoolsv.exe
1528	spoolsv.exe
1320	spoolsv.exe
1868	spoolsv.exe
1948	spoolsv.exe
1664	spoolsv.exe
1348	spoolsv.exe
1044	spoolsv.exe
616	spoolsv.exe
904	spoolsv.exe
1552	spoolsv.exe
1012	spoolsv.exe
1344	spoolsv.exe
1644	spoolsv.exe
296	spoolsv.exe
748	spoolsv.exe
824	spoolsv.exe
1480	spoolsv.exe
908	spoolsv.exe
972	spoolsv.exe
528	spoolsv.exe
1340	spoolsv.exe
1428	spoolsv.exe
928	spoolsv.exe
1832	spoolsv.exe
292	spoolsv.exe
520	spoolsv.exe
1892	spoolsv.exe
1612	spoolsv.exe
2040	spoolsv.exe
1876	spoolsv.exe
1668	spoolsv.exe
1136	spoolsv.exe
1568	spoolsv.exe
1148	spoolsv.exe
1800	spoolsv.exe
1888	spoolsv.exe
1820	spoolsv.exe
564	spoolsv.exe
1576	spoolsv.exe
1504	spoolsv.exe
1836	spoolsv.exe
2028	spoolsv.exe
1996	spoolsv.exe
1592	spoolsv.exe
1840	spoolsv.exe
428	spoolsv.exe
864	spoolsv.exe
1764	spoolsv.exe
1392	spoolsv.exe
936	spoolsv.exe
788	spoolsv.exe
2016	spoolsv.exe
1708	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exeexplorer.exe

pid	process
1436	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
1436	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe

Adds Run key to start application 2 TTPs 39 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 788 set thread context of 1436	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 788 set thread context of 1200	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	diskperf.exe
PID 1684 set thread context of 2036	1684	explorer.exe	explorer.exe
PID 1684 set thread context of 676	1684	explorer.exe	diskperf.exe
PID 1492 set thread context of 3208	1492	spoolsv.exe	spoolsv.exe
PID 1492 set thread context of 3216	1492	spoolsv.exe	diskperf.exe
PID 1512 set thread context of 3252	1512	spoolsv.exe	spoolsv.exe
PID 1512 set thread context of 3260	1512	spoolsv.exe	diskperf.exe
PID 1484 set thread context of 3288	1484	spoolsv.exe	spoolsv.exe
PID 1484 set thread context of 3296	1484	spoolsv.exe	diskperf.exe
PID 1676 set thread context of 3324	1676	spoolsv.exe	spoolsv.exe
PID 1676 set thread context of 3332	1676	spoolsv.exe	diskperf.exe
PID 1604 set thread context of 3356	1604	spoolsv.exe	spoolsv.exe
PID 1604 set thread context of 3364	1604	spoolsv.exe	diskperf.exe
PID 1704 set thread context of 3392	1704	spoolsv.exe	spoolsv.exe
PID 1704 set thread context of 3400	1704	spoolsv.exe	diskperf.exe
PID 1944 set thread context of 3424	1944	spoolsv.exe	spoolsv.exe
PID 1944 set thread context of 3432	1944	spoolsv.exe	diskperf.exe
PID 1824 set thread context of 3456	1824	spoolsv.exe	spoolsv.exe
PID 1824 set thread context of 3464	1824	spoolsv.exe	diskperf.exe
PID 1396 set thread context of 3492	1396	spoolsv.exe	spoolsv.exe
PID 1396 set thread context of 3500	1396	spoolsv.exe	diskperf.exe
PID 1528 set thread context of 3532	1528	spoolsv.exe	spoolsv.exe
PID 1528 set thread context of 3540	1528	spoolsv.exe	diskperf.exe
PID 1320 set thread context of 3568	1320	spoolsv.exe	spoolsv.exe
PID 1320 set thread context of 3576	1320	spoolsv.exe	diskperf.exe
PID 1868 set thread context of 3604	1868	spoolsv.exe	spoolsv.exe
PID 1868 set thread context of 3612	1868	spoolsv.exe	diskperf.exe
PID 1948 set thread context of 3636	1948	spoolsv.exe	spoolsv.exe
PID 1948 set thread context of 3656	1948	spoolsv.exe	diskperf.exe
PID 1664 set thread context of 3664	1664	spoolsv.exe	spoolsv.exe
PID 1664 set thread context of 3672	1664	spoolsv.exe	diskperf.exe
PID 1348 set thread context of 3696	1348	spoolsv.exe	spoolsv.exe
PID 1348 set thread context of 3704	1348	spoolsv.exe	diskperf.exe
PID 1044 set thread context of 3732	1044	spoolsv.exe	spoolsv.exe
PID 1044 set thread context of 3740	1044	spoolsv.exe	diskperf.exe
PID 616 set thread context of 3764	616	spoolsv.exe	spoolsv.exe
PID 616 set thread context of 3772	616	spoolsv.exe	diskperf.exe
PID 904 set thread context of 3800	904	spoolsv.exe	spoolsv.exe
PID 904 set thread context of 3808	904	spoolsv.exe	diskperf.exe
PID 1552 set thread context of 3832	1552	spoolsv.exe	spoolsv.exe
PID 1552 set thread context of 3840	1552	spoolsv.exe	diskperf.exe
PID 1012 set thread context of 3868	1012	spoolsv.exe	spoolsv.exe
PID 1012 set thread context of 3876	1012	spoolsv.exe	diskperf.exe
PID 1344 set thread context of 3896	1344	spoolsv.exe	spoolsv.exe
PID 1344 set thread context of 3904	1344	spoolsv.exe	diskperf.exe
PID 1644 set thread context of 3924	1644	spoolsv.exe	spoolsv.exe
PID 1644 set thread context of 3932	1644	spoolsv.exe	diskperf.exe
PID 748 set thread context of 3944	748	spoolsv.exe	spoolsv.exe
PID 748 set thread context of 3952	748	spoolsv.exe	diskperf.exe
PID 296 set thread context of 3960	296	spoolsv.exe	spoolsv.exe
PID 296 set thread context of 3980	296	spoolsv.exe	diskperf.exe
PID 824 set thread context of 3992	824	spoolsv.exe	spoolsv.exe
PID 824 set thread context of 4000	824	spoolsv.exe	diskperf.exe
PID 1480 set thread context of 4020	1480	spoolsv.exe	spoolsv.exe
PID 1480 set thread context of 4028	1480	spoolsv.exe	diskperf.exe
PID 908 set thread context of 4048	908	spoolsv.exe	spoolsv.exe
PID 908 set thread context of 4056	908	spoolsv.exe	diskperf.exe
PID 972 set thread context of 4076	972	spoolsv.exe	spoolsv.exe
PID 972 set thread context of 4088	972	spoolsv.exe	diskperf.exe
PID 528 set thread context of 796	528	spoolsv.exe	spoolsv.exe
PID 1340 set thread context of 1276	1340	spoolsv.exe	svchost.exe
PID 528 set thread context of 3236	528	spoolsv.exe	diskperf.exe
PID 1340 set thread context of 3276	1340	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exe0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exeexplorer.exe

pid	process
1436	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2036 explorer.exe

pid	process
2036	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1436	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
1436	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
2036	explorer.exe
3208	spoolsv.exe
3208	spoolsv.exe
3252	spoolsv.exe
3252	spoolsv.exe
3288	spoolsv.exe
3288	spoolsv.exe
3324	spoolsv.exe
3324	spoolsv.exe
3356	spoolsv.exe
3356	spoolsv.exe
3392	spoolsv.exe
3392	spoolsv.exe
3424	spoolsv.exe
3424	spoolsv.exe
3456	spoolsv.exe
3456	spoolsv.exe
3492	spoolsv.exe
3492	spoolsv.exe
3532	spoolsv.exe
3532	spoolsv.exe
3568	spoolsv.exe
3568	spoolsv.exe
3604	spoolsv.exe
3604	spoolsv.exe
3636	spoolsv.exe
3636	spoolsv.exe
3664	spoolsv.exe
3664	spoolsv.exe
3696	spoolsv.exe
3696	spoolsv.exe
3732	spoolsv.exe
3732	spoolsv.exe
3764	spoolsv.exe
3764	spoolsv.exe
3800	spoolsv.exe
3800	spoolsv.exe
3832	spoolsv.exe
3832	spoolsv.exe
3868	spoolsv.exe
3868	spoolsv.exe
3896	spoolsv.exe
3896	spoolsv.exe
3924	spoolsv.exe
3924	spoolsv.exe
3944	spoolsv.exe
3944	spoolsv.exe
3960	spoolsv.exe
3960	spoolsv.exe
3992	spoolsv.exe
3992	spoolsv.exe
4020	spoolsv.exe
4020	spoolsv.exe
4048	spoolsv.exe
4048	spoolsv.exe
4076	spoolsv.exe
4076	spoolsv.exe
796	spoolsv.exe
796	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 788 wrote to memory of 1436	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 788 wrote to memory of 1436	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 788 wrote to memory of 1436	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 788 wrote to memory of 1436	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 788 wrote to memory of 1436	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 788 wrote to memory of 1436	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 788 wrote to memory of 1436	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 788 wrote to memory of 1436	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 788 wrote to memory of 1436	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 788 wrote to memory of 1200	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	diskperf.exe
PID 788 wrote to memory of 1200	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	diskperf.exe
PID 788 wrote to memory of 1200	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	diskperf.exe
PID 788 wrote to memory of 1200	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	diskperf.exe
PID 788 wrote to memory of 1200	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	diskperf.exe
PID 788 wrote to memory of 1200	788	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	diskperf.exe
PID 1436 wrote to memory of 1684	1436	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	explorer.exe
PID 1436 wrote to memory of 1684	1436	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	explorer.exe
PID 1436 wrote to memory of 1684	1436	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	explorer.exe
PID 1436 wrote to memory of 1684	1436	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	explorer.exe
PID 1684 wrote to memory of 2036	1684	explorer.exe	explorer.exe
PID 1684 wrote to memory of 2036	1684	explorer.exe	explorer.exe
PID 1684 wrote to memory of 2036	1684	explorer.exe	explorer.exe
PID 1684 wrote to memory of 2036	1684	explorer.exe	explorer.exe
PID 1684 wrote to memory of 2036	1684	explorer.exe	explorer.exe
PID 1684 wrote to memory of 2036	1684	explorer.exe	explorer.exe
PID 1684 wrote to memory of 2036	1684	explorer.exe	explorer.exe
PID 1684 wrote to memory of 2036	1684	explorer.exe	explorer.exe
PID 1684 wrote to memory of 2036	1684	explorer.exe	explorer.exe
PID 1684 wrote to memory of 676	1684	explorer.exe	diskperf.exe
PID 1684 wrote to memory of 676	1684	explorer.exe	diskperf.exe
PID 1684 wrote to memory of 676	1684	explorer.exe	diskperf.exe
PID 1684 wrote to memory of 676	1684	explorer.exe	diskperf.exe
PID 1684 wrote to memory of 676	1684	explorer.exe	diskperf.exe
PID 1684 wrote to memory of 676	1684	explorer.exe	diskperf.exe
PID 2036 wrote to memory of 1492	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1492	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1492	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1492	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1512	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1512	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1512	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1512	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1484	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1484	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1484	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1484	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1676	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1676	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1676	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1676	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1604	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1604	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1604	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1604	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1704	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1704	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1704	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1704	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1944	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1944	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1944	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1944	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1824	2036	explorer.exe	spoolsv.exe
PID 2036 wrote to memory of 1824	2036	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
"C:\Users\Admin\AppData\Local\Temp\0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\AppData\Local\Temp\0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
"C:\Users\Admin\AppData\Local\Temp\0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1684

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3208

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3244

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3252

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3280

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3288

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3308

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3324

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3348

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3356

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3392

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3412

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3424

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3456

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3476

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3492

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3532

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3552

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3568

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3588

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3604

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3636

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3648

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3664

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3684

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3696

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3716

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3732

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3752

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3764

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3784

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3800

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3832

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3868

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3896

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3960

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3992

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3944

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3972

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3992

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4020

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4040

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4064

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4048

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4068

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:796

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1276

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3256

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3292

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3340

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3440

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3488

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3360

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3396

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3456

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1680

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1612

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3560

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3636

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3584

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3608

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1136

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3724

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1692

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3736

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3800

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3836

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:652

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:564

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:316

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1504

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4036

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2028

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3212

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1276

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1592

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3344

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3304

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1376

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3440

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3508

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3456

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3584

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1392

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:672

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3780

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:968

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2016

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3816

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3924

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:316

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:700

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4008

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3208

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:664

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1828

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3256

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1460

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3748

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1496

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1284

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3924

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:760

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1788

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:664

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1784

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1436

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2088

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2096

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3224

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:676

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1200

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3896

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
b9e080a7ef5d11b902d97b3a7f9b742f

SHA1
d96ec752a89a4024e022fdb5bc5eb187216b14c2

SHA256
0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f

SHA512
c9c710478fdd3e02d9b6cd5dbfc795326ebaebfe372e15247b811072adb62dd06cf777c5878df40686f857aae2c772c19bc33affbffa20866b164a2054b9caaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
af9dd6dddbeae4276491a7443da72751

SHA1
4ef556002f36770adc9b69bc56d600a0d99119f2

SHA256
c2a8d25105876eba7e57b70cdc5becdb388d06d329ee61900eee0e24e7d2681c

SHA512
5db8b628e323c3f97cd682d42ab7fd1182d5c83c5aab7c4f889dfe25c20e8c12dc9a38dcb4f659640fcc895223454b6c615057299d5c731ea5b9234adc8ecdee

Download Submit
C:\Windows\system\explorer.exe
MD5
af9dd6dddbeae4276491a7443da72751

SHA1
4ef556002f36770adc9b69bc56d600a0d99119f2

SHA256
c2a8d25105876eba7e57b70cdc5becdb388d06d329ee61900eee0e24e7d2681c

SHA512
5db8b628e323c3f97cd682d42ab7fd1182d5c83c5aab7c4f889dfe25c20e8c12dc9a38dcb4f659640fcc895223454b6c615057299d5c731ea5b9234adc8ecdee

Download Submit
C:\Windows\system\explorer.exe
MD5
af9dd6dddbeae4276491a7443da72751

SHA1
4ef556002f36770adc9b69bc56d600a0d99119f2

SHA256
c2a8d25105876eba7e57b70cdc5becdb388d06d329ee61900eee0e24e7d2681c

SHA512
5db8b628e323c3f97cd682d42ab7fd1182d5c83c5aab7c4f889dfe25c20e8c12dc9a38dcb4f659640fcc895223454b6c615057299d5c731ea5b9234adc8ecdee

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
C:\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\??\c:\windows\system\explorer.exe
MD5
af9dd6dddbeae4276491a7443da72751

SHA1
4ef556002f36770adc9b69bc56d600a0d99119f2

SHA256
c2a8d25105876eba7e57b70cdc5becdb388d06d329ee61900eee0e24e7d2681c

SHA512
5db8b628e323c3f97cd682d42ab7fd1182d5c83c5aab7c4f889dfe25c20e8c12dc9a38dcb4f659640fcc895223454b6c615057299d5c731ea5b9234adc8ecdee

Download Submit
\Windows\system\explorer.exe
MD5
af9dd6dddbeae4276491a7443da72751

SHA1
4ef556002f36770adc9b69bc56d600a0d99119f2

SHA256
c2a8d25105876eba7e57b70cdc5becdb388d06d329ee61900eee0e24e7d2681c

SHA512
5db8b628e323c3f97cd682d42ab7fd1182d5c83c5aab7c4f889dfe25c20e8c12dc9a38dcb4f659640fcc895223454b6c615057299d5c731ea5b9234adc8ecdee

Download Submit
\Windows\system\explorer.exe
MD5
af9dd6dddbeae4276491a7443da72751

SHA1
4ef556002f36770adc9b69bc56d600a0d99119f2

SHA256
c2a8d25105876eba7e57b70cdc5becdb388d06d329ee61900eee0e24e7d2681c

SHA512
5db8b628e323c3f97cd682d42ab7fd1182d5c83c5aab7c4f889dfe25c20e8c12dc9a38dcb4f659640fcc895223454b6c615057299d5c731ea5b9234adc8ecdee

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
\Windows\system\spoolsv.exe
MD5
03fc0662f9eb70d8c82c211d77956ef2

SHA1
baf04823b6b26d3634724f23dd76deb091001bbf

SHA256
1bba7c5412aca877f05b14f6f098a640ae193c6b3d1b334d916cb15082be3ae6

SHA512
d89c7f532e85c100b2a7db2087269c631b2dd7dce4b220414c793917fb99dc8137b68ffd1f1061d92a61ee47cce76e47f05c0c5de00a539146faa12ec13ab6ef

Download Submit
memory/292-247-0x0000000000000000-mapping.dmp

Download
memory/296-214-0x0000000000000000-mapping.dmp

Download
memory/428-305-0x0000000000000000-mapping.dmp

Download
memory/428-311-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/520-249-0x0000000000000000-mapping.dmp

Download
memory/520-259-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/528-230-0x0000000000000000-mapping.dmp

Download
memory/528-239-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/564-297-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/564-288-0x0000000000000000-mapping.dmp

Download
memory/616-190-0x0000000000000000-mapping.dmp

Download
memory/616-198-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/676-86-0x0000000000411000-mapping.dmp

Download
memory/748-218-0x0000000000000000-mapping.dmp

Download
memory/788-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/788-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/824-235-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/824-222-0x0000000000000000-mapping.dmp

Download
memory/864-312-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/864-306-0x0000000000000000-mapping.dmp

Download
memory/904-206-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/904-197-0x0000000000000000-mapping.dmp

Download
memory/908-237-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/908-226-0x0000000000000000-mapping.dmp

Download
memory/928-243-0x0000000000000000-mapping.dmp

Download
memory/936-315-0x0000000000000000-mapping.dmp

Download
memory/972-228-0x0000000000000000-mapping.dmp

Download
memory/1012-208-0x0000000000000000-mapping.dmp

Download
memory/1044-185-0x0000000000000000-mapping.dmp

Download
memory/1044-195-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1136-268-0x0000000000000000-mapping.dmp

Download
memory/1136-282-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1148-272-0x0000000000000000-mapping.dmp

Download
memory/1200-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1200-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1200-67-0x0000000000411000-mapping.dmp

Download
memory/1320-156-0x0000000000000000-mapping.dmp

Download
memory/1320-164-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1340-232-0x0000000000000000-mapping.dmp

Download
memory/1340-240-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1344-210-0x0000000000000000-mapping.dmp

Download
memory/1344-217-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1348-179-0x0000000000000000-mapping.dmp

Download
memory/1392-308-0x0000000000000000-mapping.dmp

Download
memory/1396-143-0x0000000000000000-mapping.dmp

Download
memory/1396-153-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1428-241-0x0000000000000000-mapping.dmp

Download
memory/1436-76-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1436-63-0x0000000000403670-mapping.dmp

Download
memory/1436-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1480-224-0x0000000000000000-mapping.dmp

Download
memory/1480-236-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1484-111-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1484-107-0x0000000000000000-mapping.dmp

Download
memory/1492-99-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1492-94-0x0000000000000000-mapping.dmp

Download
memory/1504-292-0x0000000000000000-mapping.dmp

Download
memory/1512-102-0x0000000000000000-mapping.dmp

Download
memory/1528-148-0x0000000000000000-mapping.dmp

Download
memory/1528-152-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1552-203-0x0000000000000000-mapping.dmp

Download
memory/1568-270-0x0000000000000000-mapping.dmp

Download
memory/1568-283-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1576-290-0x0000000000000000-mapping.dmp

Download
memory/1576-298-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1592-303-0x0000000000000000-mapping.dmp

Download
memory/1604-119-0x0000000000000000-mapping.dmp

Download
memory/1604-126-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1612-253-0x0000000000000000-mapping.dmp

Download
memory/1644-212-0x0000000000000000-mapping.dmp

Download
memory/1664-180-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1664-173-0x0000000000000000-mapping.dmp

Download
memory/1668-266-0x0000000000000000-mapping.dmp

Download
memory/1676-124-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1676-114-0x0000000000000000-mapping.dmp

Download
memory/1684-73-0x0000000000000000-mapping.dmp

Download
memory/1684-78-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1704-125-0x0000000000000000-mapping.dmp

Download
memory/1704-134-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1764-307-0x0000000000000000-mapping.dmp

Download
memory/1800-274-0x0000000000000000-mapping.dmp

Download
memory/1820-286-0x0000000000000000-mapping.dmp

Download
memory/1824-138-0x0000000000000000-mapping.dmp

Download
memory/1824-151-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1832-245-0x0000000000000000-mapping.dmp

Download
memory/1832-257-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1836-300-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1836-293-0x0000000000000000-mapping.dmp

Download
memory/1840-304-0x0000000000000000-mapping.dmp

Download
memory/1868-161-0x0000000000000000-mapping.dmp

Download
memory/1868-165-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1876-264-0x0000000000000000-mapping.dmp

Download
memory/1888-276-0x0000000000000000-mapping.dmp

Download
memory/1892-260-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1892-251-0x0000000000000000-mapping.dmp

Download
memory/1944-135-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1944-131-0x0000000000000000-mapping.dmp

Download
memory/1948-168-0x0000000000000000-mapping.dmp

Download
memory/1948-176-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1996-295-0x0000000000000000-mapping.dmp

Download
memory/2028-301-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2028-294-0x0000000000000000-mapping.dmp

Download
memory/2036-81-0x0000000000403670-mapping.dmp

Download
memory/2040-262-0x0000000000000000-mapping.dmp

Download
memory/2040-277-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads