warzonerat | 0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f

Analysis

max time kernel
143s
max time network
114s
platform
windows10_x64
resource
win10v20210408
submitted
04-05-2021 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
Size

1.8MB
MD5

b9e080a7ef5d11b902d97b3a7f9b742f
SHA1

d96ec752a89a4024e022fdb5bc5eb187216b14c2
SHA256

0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f
SHA512

c9c710478fdd3e02d9b6cd5dbfc795326ebaebfe372e15247b811072adb62dd06cf777c5878df40686f857aae2c772c19bc33affbffa20866b164a2054b9caaa

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3856	explorer.exe
2680	explorer.exe
1348	spoolsv.exe
3220	spoolsv.exe
3080	spoolsv.exe
3912	spoolsv.exe
2712	spoolsv.exe
2276	spoolsv.exe
1820	spoolsv.exe
2124	spoolsv.exe
2864	spoolsv.exe
3920	spoolsv.exe
4092	spoolsv.exe
3992	spoolsv.exe
2280	spoolsv.exe
2252	spoolsv.exe
828	spoolsv.exe
1692	spoolsv.exe
3880	spoolsv.exe
3716	spoolsv.exe
1936	spoolsv.exe
188	spoolsv.exe
204	spoolsv.exe
1512	spoolsv.exe
220	spoolsv.exe
1724	spoolsv.exe
672	spoolsv.exe
1856	spoolsv.exe
2964	spoolsv.exe
788	spoolsv.exe
3312	spoolsv.exe
824	spoolsv.exe
2448	spoolsv.exe
1708	spoolsv.exe
432	spoolsv.exe
3984	spoolsv.exe
2196	spoolsv.exe
1032	spoolsv.exe
3772	spoolsv.exe
1476	spoolsv.exe
192	spoolsv.exe
1812	spoolsv.exe
1584	spoolsv.exe
2464	spoolsv.exe
4044	spoolsv.exe
1648	spoolsv.exe
1116	spoolsv.exe
1468	spoolsv.exe
1208	spoolsv.exe
1216	spoolsv.exe
3352	spoolsv.exe
3856	spoolsv.exe
4108	spoolsv.exe
4132	spoolsv.exe
4156	spoolsv.exe
4192	spoolsv.exe
4216	spoolsv.exe
4240	spoolsv.exe
4268	spoolsv.exe
4304	spoolsv.exe
4328	spoolsv.exe
4348	spoolsv.exe
4376	spoolsv.exe
4392	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 54 IoCs

Processes:

0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 596 set thread context of 192	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 596 set thread context of 216	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	diskperf.exe
PID 3856 set thread context of 2680	3856	explorer.exe	explorer.exe
PID 1348 set thread context of 6680	1348	spoolsv.exe	spoolsv.exe
PID 1348 set thread context of 6700	1348	spoolsv.exe	diskperf.exe
PID 3220 set thread context of 6768	3220	spoolsv.exe	spoolsv.exe
PID 3080 set thread context of 6836	3080	spoolsv.exe	spoolsv.exe
PID 3220 set thread context of 6808	3220	spoolsv.exe	diskperf.exe
PID 3080 set thread context of 6852	3080	spoolsv.exe	diskperf.exe
PID 3912 set thread context of 6936	3912	spoolsv.exe	spoolsv.exe
PID 3912 set thread context of 6952	3912	spoolsv.exe	diskperf.exe
PID 2712 set thread context of 6984	2712	spoolsv.exe	spoolsv.exe
PID 2276 set thread context of 7036	2276	spoolsv.exe	spoolsv.exe
PID 2712 set thread context of 7056	2712	spoolsv.exe	diskperf.exe
PID 2276 set thread context of 7076	2276	spoolsv.exe	diskperf.exe
PID 1820 set thread context of 7112	1820	spoolsv.exe	spoolsv.exe
PID 2124 set thread context of 7152	2124	spoolsv.exe	spoolsv.exe
PID 1820 set thread context of 1464	1820	spoolsv.exe	diskperf.exe
PID 2124 set thread context of 6728	2124	spoolsv.exe	diskperf.exe
PID 2864 set thread context of 6844	2864	spoolsv.exe	spoolsv.exe
PID 2864 set thread context of 656	2864	spoolsv.exe	diskperf.exe
PID 3920 set thread context of 3368	3920	spoolsv.exe	spoolsv.exe
PID 3920 set thread context of 6772	3920	spoolsv.exe	diskperf.exe
PID 4092 set thread context of 6792	4092	spoolsv.exe	spoolsv.exe
PID 4092 set thread context of 6708	4092	spoolsv.exe	diskperf.exe
PID 3992 set thread context of 6972	3992	spoolsv.exe	spoolsv.exe
PID 2280 set thread context of 2740	2280	spoolsv.exe	spoolsv.exe
PID 2280 set thread context of 7052	2280	spoolsv.exe	diskperf.exe
PID 2252 set thread context of 3192	2252	spoolsv.exe	spoolsv.exe
PID 2252 set thread context of 2460	2252	spoolsv.exe	diskperf.exe
PID 828 set thread context of 7040	828	spoolsv.exe	spoolsv.exe
PID 1692 set thread context of 6716	1692	spoolsv.exe	spoolsv.exe
PID 1692 set thread context of 6816	1692	spoolsv.exe	diskperf.exe
PID 3880 set thread context of 7164	3880	spoolsv.exe	spoolsv.exe
PID 3880 set thread context of 6904	3880	spoolsv.exe	diskperf.exe
PID 3716 set thread context of 2772	3716	spoolsv.exe	spoolsv.exe
PID 1936 set thread context of 3896	1936	spoolsv.exe	spoolsv.exe
PID 1936 set thread context of 6996	1936	spoolsv.exe	diskperf.exe
PID 188 set thread context of 7132	188	spoolsv.exe	spoolsv.exe
PID 204 set thread context of 1872	204	spoolsv.exe	spoolsv.exe
PID 204 set thread context of 2452	204	spoolsv.exe	diskperf.exe
PID 1512 set thread context of 1596	1512	spoolsv.exe	spoolsv.exe
PID 1512 set thread context of 1720	1512	spoolsv.exe	diskperf.exe
PID 220 set thread context of 3396	220	spoolsv.exe	spoolsv.exe
PID 220 set thread context of 2220	220	spoolsv.exe	diskperf.exe
PID 1724 set thread context of 1624	1724	spoolsv.exe	spoolsv.exe
PID 672 set thread context of 6684	672	spoolsv.exe	spoolsv.exe
PID 672 set thread context of 6976	672	spoolsv.exe	diskperf.exe
PID 1856 set thread context of 2228	1856	spoolsv.exe	spoolsv.exe
PID 2964 set thread context of 3096	2964	spoolsv.exe	spoolsv.exe
PID 2964 set thread context of 2692	2964	spoolsv.exe	diskperf.exe
PID 788 set thread context of 1768	788	spoolsv.exe	spoolsv.exe
PID 788 set thread context of 1756	788	spoolsv.exe	diskperf.exe
PID 3312 set thread context of 2340	3312	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

spoolsv.exe0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exeexplorer.exe

pid	process
192	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
192	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2680 explorer.exe

pid	process
2680	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
192	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
192	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
2680	explorer.exe
6680	spoolsv.exe
6680	spoolsv.exe
6768	spoolsv.exe
6836	spoolsv.exe
6836	spoolsv.exe
6768	spoolsv.exe
6936	spoolsv.exe
6936	spoolsv.exe
6984	spoolsv.exe
6984	spoolsv.exe
7036	spoolsv.exe
7036	spoolsv.exe
7112	spoolsv.exe
7152	spoolsv.exe
7112	spoolsv.exe
6844	spoolsv.exe
6844	spoolsv.exe
7152	spoolsv.exe
3368	spoolsv.exe
3368	spoolsv.exe
6792	spoolsv.exe
6792	spoolsv.exe
6972	spoolsv.exe
6972	spoolsv.exe
2740	spoolsv.exe
2740	spoolsv.exe
3192	spoolsv.exe
3192	spoolsv.exe
7040	spoolsv.exe
6716	spoolsv.exe
6716	spoolsv.exe
7040	spoolsv.exe
7164	spoolsv.exe
7164	spoolsv.exe
2772	spoolsv.exe
2772	spoolsv.exe
3896	spoolsv.exe
3896	spoolsv.exe
7132	spoolsv.exe
7132	spoolsv.exe
1872	spoolsv.exe
1872	spoolsv.exe
1596	spoolsv.exe
1596	spoolsv.exe
3396	spoolsv.exe
3396	spoolsv.exe
1624	spoolsv.exe
1624	spoolsv.exe
6684	spoolsv.exe
6684	spoolsv.exe
2228	spoolsv.exe
2228	spoolsv.exe
3096	spoolsv.exe
3096	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
2340	spoolsv.exe
2340	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 596 wrote to memory of 192	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 596 wrote to memory of 192	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 596 wrote to memory of 192	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 596 wrote to memory of 192	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 596 wrote to memory of 192	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 596 wrote to memory of 192	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 596 wrote to memory of 192	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 596 wrote to memory of 192	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
PID 596 wrote to memory of 216	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	diskperf.exe
PID 596 wrote to memory of 216	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	diskperf.exe
PID 596 wrote to memory of 216	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	diskperf.exe
PID 596 wrote to memory of 216	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	diskperf.exe
PID 596 wrote to memory of 216	596	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	diskperf.exe
PID 192 wrote to memory of 3856	192	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	explorer.exe
PID 192 wrote to memory of 3856	192	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	explorer.exe
PID 192 wrote to memory of 3856	192	0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe	explorer.exe
PID 3856 wrote to memory of 2680	3856	explorer.exe	explorer.exe
PID 3856 wrote to memory of 2680	3856	explorer.exe	explorer.exe
PID 3856 wrote to memory of 2680	3856	explorer.exe	explorer.exe
PID 3856 wrote to memory of 2680	3856	explorer.exe	explorer.exe
PID 3856 wrote to memory of 2680	3856	explorer.exe	explorer.exe
PID 3856 wrote to memory of 2680	3856	explorer.exe	explorer.exe
PID 3856 wrote to memory of 2680	3856	explorer.exe	explorer.exe
PID 3856 wrote to memory of 2680	3856	explorer.exe	explorer.exe
PID 3856 wrote to memory of 788	3856	explorer.exe	diskperf.exe
PID 3856 wrote to memory of 788	3856	explorer.exe	diskperf.exe
PID 3856 wrote to memory of 788	3856	explorer.exe	diskperf.exe
PID 2680 wrote to memory of 1348	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 1348	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 1348	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3220	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3220	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3220	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3080	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3080	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3080	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3912	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3912	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3912	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2712	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2712	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2712	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2276	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2276	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2276	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 1820	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 1820	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 1820	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2124	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2124	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2124	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2864	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2864	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2864	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3920	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3920	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3920	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 4092	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 4092	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 4092	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3992	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3992	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 3992	2680	explorer.exe	spoolsv.exe
PID 2680 wrote to memory of 2280	2680	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
"C:\Users\Admin\AppData\Local\Temp\0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:596

C:\Users\Admin\AppData\Local\Temp\0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe
"C:\Users\Admin\AppData\Local\Temp\0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:192

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3856

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6680

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6892

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6836

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6936

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6984

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7036

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7112

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7152

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6844

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3368

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1248

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6972

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2740

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3192

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7040

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:636

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6716

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7164

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2772

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6860

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3896

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3088

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7132

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1872

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7108

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3396

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1408

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1624

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6684

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2228

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7124

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3096

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4416

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1768

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:740

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2340

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4496

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4512

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6864

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4548

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1760

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:788

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:216

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
b9e080a7ef5d11b902d97b3a7f9b742f

SHA1
d96ec752a89a4024e022fdb5bc5eb187216b14c2

SHA256
0fa8e1c5768dd04021b8853529f733128e3fc2d01825a5ed28298a164172b30f

SHA512
c9c710478fdd3e02d9b6cd5dbfc795326ebaebfe372e15247b811072adb62dd06cf777c5878df40686f857aae2c772c19bc33affbffa20866b164a2054b9caaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
aded6208a6d187c59c4d6efc5e7dd6a7

SHA1
4a538398590f0260ee7327868751e9fdd2e88a27

SHA256
3ba10be3f1c033b2c4ef2caa5cc51508c213b85e62557e1251f06137aafd43b0

SHA512
3ae3607ff3b1dcd71788fd9082682384cf68270f4cb493955e1c4e0c908bf90d645881b4a45e942ce714935680dc6812fa6cc0b484967b584c381bd6cd7b8d36

Download Submit
C:\Windows\System\explorer.exe
MD5
aded6208a6d187c59c4d6efc5e7dd6a7

SHA1
4a538398590f0260ee7327868751e9fdd2e88a27

SHA256
3ba10be3f1c033b2c4ef2caa5cc51508c213b85e62557e1251f06137aafd43b0

SHA512
3ae3607ff3b1dcd71788fd9082682384cf68270f4cb493955e1c4e0c908bf90d645881b4a45e942ce714935680dc6812fa6cc0b484967b584c381bd6cd7b8d36

Download Submit
C:\Windows\System\explorer.exe
MD5
aded6208a6d187c59c4d6efc5e7dd6a7

SHA1
4a538398590f0260ee7327868751e9fdd2e88a27

SHA256
3ba10be3f1c033b2c4ef2caa5cc51508c213b85e62557e1251f06137aafd43b0

SHA512
3ae3607ff3b1dcd71788fd9082682384cf68270f4cb493955e1c4e0c908bf90d645881b4a45e942ce714935680dc6812fa6cc0b484967b584c381bd6cd7b8d36

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
\??\c:\windows\system\explorer.exe
MD5
aded6208a6d187c59c4d6efc5e7dd6a7

SHA1
4a538398590f0260ee7327868751e9fdd2e88a27

SHA256
3ba10be3f1c033b2c4ef2caa5cc51508c213b85e62557e1251f06137aafd43b0

SHA512
3ae3607ff3b1dcd71788fd9082682384cf68270f4cb493955e1c4e0c908bf90d645881b4a45e942ce714935680dc6812fa6cc0b484967b584c381bd6cd7b8d36

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
e00f41ba197bfc2a6e9395106e494e88

SHA1
8b225cd10c6123f5dbbbeb3aec38db882bdb688c

SHA256
fbcbbcd623df84b72abcd7fbc4b6d9a2b182f16bce37fc1c3ec15457b518485a

SHA512
5a20f739ba7e778840092a638a9e1859622f2719a4838604d52d95a7e21c335d76d3395c1799c0db312054ea203c263317a8be6c442b2f1a395d64d7dffac23e

Download Submit
memory/188-195-0x0000000000000000-mapping.dmp

Download
memory/188-202-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/192-116-0x0000000000403670-mapping.dmp

Download
memory/192-259-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/192-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/192-252-0x0000000000000000-mapping.dmp

Download
memory/192-122-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/204-197-0x0000000000000000-mapping.dmp

Download
memory/204-201-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/216-118-0x0000000000411000-mapping.dmp

Download
memory/216-123-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/216-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/220-213-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/220-205-0x0000000000000000-mapping.dmp

Download
memory/432-244-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/432-236-0x0000000000000000-mapping.dmp

Download
memory/596-114-0x00000000005A0000-0x000000000064E000-memory.dmp

Filesize
696KB

Download
memory/672-209-0x0000000000000000-mapping.dmp

Download
memory/672-212-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/788-223-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/788-219-0x0000000000000000-mapping.dmp

Download
memory/824-226-0x0000000000000000-mapping.dmp

Download
memory/824-233-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/828-182-0x0000000000000000-mapping.dmp

Download
memory/828-188-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1032-242-0x0000000000000000-mapping.dmp

Download
memory/1032-245-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1116-279-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1116-271-0x0000000000000000-mapping.dmp

Download
memory/1208-278-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/1208-275-0x0000000000000000-mapping.dmp

Download
memory/1216-281-0x0000000000000000-mapping.dmp

Download
memory/1216-287-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1348-142-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1348-139-0x0000000000000000-mapping.dmp

Download
memory/1468-273-0x0000000000000000-mapping.dmp

Download
memory/1468-280-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1476-258-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1476-250-0x0000000000000000-mapping.dmp

Download
memory/1512-211-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/1512-203-0x0000000000000000-mapping.dmp

Download
memory/1584-260-0x0000000000000000-mapping.dmp

Download
memory/1584-266-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1648-277-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1648-269-0x0000000000000000-mapping.dmp

Download
memory/1692-184-0x0000000000000000-mapping.dmp

Download
memory/1692-189-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1708-235-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1708-230-0x0000000000000000-mapping.dmp

Download
memory/1724-207-0x0000000000000000-mapping.dmp

Download
memory/1724-214-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1812-257-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1812-254-0x0000000000000000-mapping.dmp

Download
memory/1820-156-0x0000000000000000-mapping.dmp

Download
memory/1820-160-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1856-215-0x0000000000000000-mapping.dmp

Download
memory/1856-221-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1936-200-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1936-193-0x0000000000000000-mapping.dmp

Download
memory/2124-169-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2124-161-0x0000000000000000-mapping.dmp

Download
memory/2196-240-0x0000000000000000-mapping.dmp

Download
memory/2196-247-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2252-180-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2252-177-0x0000000000000000-mapping.dmp

Download
memory/2276-154-0x0000000000000000-mapping.dmp

Download
memory/2276-159-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2280-175-0x0000000000000000-mapping.dmp

Download
memory/2280-181-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2448-234-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/2448-228-0x0000000000000000-mapping.dmp

Download
memory/2464-267-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2464-262-0x0000000000000000-mapping.dmp

Download
memory/2680-131-0x0000000000403670-mapping.dmp

Download
memory/2712-152-0x0000000000000000-mapping.dmp

Download
memory/2712-158-0x0000000000660000-0x00000000007AA000-memory.dmp

Filesize
1.3MB

Download
memory/2864-163-0x0000000000000000-mapping.dmp

Download
memory/2864-171-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/2964-222-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2964-217-0x0000000000000000-mapping.dmp

Download
memory/3080-145-0x0000000000000000-mapping.dmp

Download
memory/3080-150-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/3220-149-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3220-143-0x0000000000000000-mapping.dmp

Download
memory/3312-232-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3312-224-0x0000000000000000-mapping.dmp

Download
memory/3352-288-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/3352-283-0x0000000000000000-mapping.dmp

Download
memory/3716-191-0x0000000000000000-mapping.dmp

Download
memory/3716-199-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/3772-256-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3772-248-0x0000000000000000-mapping.dmp

Download
memory/3856-289-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3856-129-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3856-126-0x0000000000000000-mapping.dmp

Download
memory/3856-285-0x0000000000000000-mapping.dmp

Download
memory/3880-186-0x0000000000000000-mapping.dmp

Download
memory/3880-190-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3912-147-0x0000000000000000-mapping.dmp

Download
memory/3912-151-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3920-165-0x0000000000000000-mapping.dmp

Download
memory/3920-172-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3984-246-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3984-238-0x0000000000000000-mapping.dmp

Download
memory/3992-173-0x0000000000000000-mapping.dmp

Download
memory/3992-179-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/4044-264-0x0000000000000000-mapping.dmp

Download
memory/4044-268-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4092-170-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4092-167-0x0000000000000000-mapping.dmp

Download
memory/4108-296-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4108-290-0x0000000000000000-mapping.dmp

Download
memory/4132-297-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/4132-292-0x0000000000000000-mapping.dmp

Download
memory/4156-298-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4156-294-0x0000000000000000-mapping.dmp

Download
memory/4192-299-0x0000000000000000-mapping.dmp

Download
memory/4192-305-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/4216-301-0x0000000000000000-mapping.dmp

Download
memory/4216-307-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4240-309-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4240-303-0x0000000000000000-mapping.dmp

Download
memory/4268-310-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4268-306-0x0000000000000000-mapping.dmp

Download
memory/4304-311-0x0000000000000000-mapping.dmp

Download
memory/4304-315-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4328-313-0x0000000000000000-mapping.dmp

Download
memory/4328-316-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4348-314-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads