warzonerat | f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191

Analysis

max time kernel
151s
max time network
110s
platform
windows7_x64
resource
win7v20210410
submitted
04-05-2021 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
Size

1.8MB
MD5

c5b5e7134d28f77190b35cd98c2779ba
SHA1

df6538b2f1527afe8ff473387de959543ba02253
SHA256

f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191
SHA512

5a6e3dc41a15b658ed849d8ab18ae07b0d650f5263485ce78ae46bc1f81ef893c54bb4da4cf451e7d189e9881de240722e29cff19144e6ac7d6d7cdb6fe418c0

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
768	explorer.exe
1348	explorer.exe
1052	spoolsv.exe
1964	spoolsv.exe
956	spoolsv.exe
800	spoolsv.exe
1612	spoolsv.exe
532	spoolsv.exe
2008	spoolsv.exe
2024	spoolsv.exe
1680	spoolsv.exe
1640	spoolsv.exe
752	spoolsv.exe
1544	spoolsv.exe
728	spoolsv.exe
1568	spoolsv.exe
1660	spoolsv.exe
1924	spoolsv.exe
1540	spoolsv.exe
1912	spoolsv.exe
1176	spoolsv.exe
672	spoolsv.exe
1688	spoolsv.exe
1196	spoolsv.exe
1704	spoolsv.exe
2012	spoolsv.exe
840	spoolsv.exe
1100	spoolsv.exe
1632	spoolsv.exe
2000	spoolsv.exe
952	spoolsv.exe
948	spoolsv.exe
272	spoolsv.exe
536	spoolsv.exe
432	spoolsv.exe
1476	spoolsv.exe
1824	spoolsv.exe
1524	spoolsv.exe
1136	spoolsv.exe
1560	spoolsv.exe
1216	spoolsv.exe
1932	spoolsv.exe
284	spoolsv.exe
1184	spoolsv.exe
1648	spoolsv.exe
1596	spoolsv.exe
1256	spoolsv.exe
1668	spoolsv.exe
1636	spoolsv.exe
1276	spoolsv.exe
968	spoolsv.exe
1556	spoolsv.exe
1172	spoolsv.exe
1948	spoolsv.exe
1368	spoolsv.exe
1536	spoolsv.exe
768	spoolsv.exe
1068	spoolsv.exe
1752	spoolsv.exe
788	spoolsv.exe
1852	spoolsv.exe
2020	spoolsv.exe
1060	spoolsv.exe
1600	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exeexplorer.exe

pid	process
1576	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
1576	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 61 IoCs

Processes:

f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1084 set thread context of 1576	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1084 set thread context of 1532	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	diskperf.exe
PID 768 set thread context of 1348	768	explorer.exe	explorer.exe
PID 768 set thread context of 1472	768	explorer.exe	diskperf.exe
PID 1052 set thread context of 3188	1052	spoolsv.exe	spoolsv.exe
PID 1052 set thread context of 3196	1052	spoolsv.exe	diskperf.exe
PID 1964 set thread context of 3240	1964	spoolsv.exe	spoolsv.exe
PID 1964 set thread context of 3248	1964	spoolsv.exe	diskperf.exe
PID 956 set thread context of 3272	956	spoolsv.exe	spoolsv.exe
PID 956 set thread context of 3280	956	spoolsv.exe	diskperf.exe
PID 800 set thread context of 3308	800	spoolsv.exe	spoolsv.exe
PID 800 set thread context of 3316	800	spoolsv.exe	diskperf.exe
PID 1612 set thread context of 3344	1612	spoolsv.exe	spoolsv.exe
PID 1612 set thread context of 3352	1612	spoolsv.exe	diskperf.exe
PID 532 set thread context of 3380	532	spoolsv.exe	spoolsv.exe
PID 532 set thread context of 3388	532	spoolsv.exe	diskperf.exe
PID 2008 set thread context of 3412	2008	spoolsv.exe	spoolsv.exe
PID 2008 set thread context of 3420	2008	spoolsv.exe	diskperf.exe
PID 2024 set thread context of 3448	2024	spoolsv.exe	spoolsv.exe
PID 2024 set thread context of 3456	2024	spoolsv.exe	diskperf.exe
PID 1680 set thread context of 3488	1680	spoolsv.exe	spoolsv.exe
PID 1680 set thread context of 3496	1680	spoolsv.exe	diskperf.exe
PID 1640 set thread context of 3524	1640	spoolsv.exe	spoolsv.exe
PID 1640 set thread context of 3532	1640	spoolsv.exe	diskperf.exe
PID 752 set thread context of 3552	752	spoolsv.exe	spoolsv.exe
PID 752 set thread context of 3560	752	spoolsv.exe	diskperf.exe
PID 1544 set thread context of 3580	1544	spoolsv.exe	spoolsv.exe
PID 1544 set thread context of 3588	1544	spoolsv.exe	diskperf.exe
PID 728 set thread context of 3616	728	spoolsv.exe	spoolsv.exe
PID 728 set thread context of 3624	728	spoolsv.exe	diskperf.exe
PID 1568 set thread context of 3652	1568	spoolsv.exe	spoolsv.exe
PID 1568 set thread context of 3660	1568	spoolsv.exe	diskperf.exe
PID 1660 set thread context of 3688	1660	spoolsv.exe	spoolsv.exe
PID 1660 set thread context of 3696	1660	spoolsv.exe	diskperf.exe
PID 1924 set thread context of 3724	1924	spoolsv.exe	spoolsv.exe
PID 1924 set thread context of 3744	1924	spoolsv.exe	diskperf.exe
PID 1540 set thread context of 3752	1540	spoolsv.exe	spoolsv.exe
PID 1540 set thread context of 3760	1540	spoolsv.exe	diskperf.exe
PID 1912 set thread context of 3784	1912	spoolsv.exe	spoolsv.exe
PID 1912 set thread context of 3792	1912	spoolsv.exe	diskperf.exe
PID 1176 set thread context of 3812	1176	spoolsv.exe	spoolsv.exe
PID 1176 set thread context of 3820	1176	spoolsv.exe	diskperf.exe
PID 672 set thread context of 3848	672	spoolsv.exe	spoolsv.exe
PID 672 set thread context of 3856	672	spoolsv.exe	diskperf.exe
PID 1688 set thread context of 3864	1688	spoolsv.exe	spoolsv.exe
PID 1688 set thread context of 3884	1688	spoolsv.exe	diskperf.exe
PID 1196 set thread context of 3896	1196	spoolsv.exe	spoolsv.exe
PID 1196 set thread context of 3904	1196	spoolsv.exe	diskperf.exe
PID 1704 set thread context of 3912	1704	spoolsv.exe	spoolsv.exe
PID 1704 set thread context of 3920	1704	spoolsv.exe	diskperf.exe
PID 2012 set thread context of 3928	2012	spoolsv.exe	spoolsv.exe
PID 2012 set thread context of 3936	2012	spoolsv.exe	diskperf.exe
PID 840 set thread context of 3960	840	spoolsv.exe	spoolsv.exe
PID 1100 set thread context of 3968	1100	spoolsv.exe	spoolsv.exe
PID 840 set thread context of 3976	840	spoolsv.exe	diskperf.exe
PID 1100 set thread context of 3996	1100	spoolsv.exe	diskperf.exe
PID 1632 set thread context of 4004	1632	spoolsv.exe	spoolsv.exe
PID 1632 set thread context of 4012	1632	spoolsv.exe	diskperf.exe
PID 2000 set thread context of 4020	2000	spoolsv.exe	spoolsv.exe
PID 2000 set thread context of 4028	2000	spoolsv.exe	diskperf.exe
PID 952 set thread context of 4036	952	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exeexplorer.exe

pid	process
1576	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1348 explorer.exe

pid	process
1348	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1576	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
1576	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
1348	explorer.exe
3188	spoolsv.exe
3188	spoolsv.exe
3240	spoolsv.exe
3240	spoolsv.exe
3272	spoolsv.exe
3272	spoolsv.exe
3308	spoolsv.exe
3308	spoolsv.exe
3344	spoolsv.exe
3344	spoolsv.exe
3380	spoolsv.exe
3380	spoolsv.exe
3412	spoolsv.exe
3412	spoolsv.exe
3448	spoolsv.exe
3448	spoolsv.exe
3488	spoolsv.exe
3488	spoolsv.exe
3524	spoolsv.exe
3524	spoolsv.exe
3552	spoolsv.exe
3552	spoolsv.exe
3580	spoolsv.exe
3580	spoolsv.exe
3616	spoolsv.exe
3616	spoolsv.exe
3652	spoolsv.exe
3652	spoolsv.exe
3688	spoolsv.exe
3688	spoolsv.exe
3724	spoolsv.exe
3724	spoolsv.exe
3752	spoolsv.exe
3752	spoolsv.exe
3784	spoolsv.exe
3784	spoolsv.exe
3812	spoolsv.exe
3812	spoolsv.exe
3848	spoolsv.exe
3848	spoolsv.exe
3864	spoolsv.exe
3864	spoolsv.exe
3896	spoolsv.exe
3896	spoolsv.exe
3912	spoolsv.exe
3912	spoolsv.exe
3928	spoolsv.exe
3928	spoolsv.exe
3960	spoolsv.exe
3968	spoolsv.exe
3960	spoolsv.exe
4004	spoolsv.exe
3968	spoolsv.exe
4004	spoolsv.exe
4020	spoolsv.exe
4036	spoolsv.exe
4036	spoolsv.exe
4020	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exef55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1084 wrote to memory of 1576	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1084 wrote to memory of 1576	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1084 wrote to memory of 1576	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1084 wrote to memory of 1576	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1084 wrote to memory of 1576	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1084 wrote to memory of 1576	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1084 wrote to memory of 1576	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1084 wrote to memory of 1576	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1084 wrote to memory of 1576	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
PID 1084 wrote to memory of 1532	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	diskperf.exe
PID 1084 wrote to memory of 1532	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	diskperf.exe
PID 1084 wrote to memory of 1532	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	diskperf.exe
PID 1084 wrote to memory of 1532	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	diskperf.exe
PID 1084 wrote to memory of 1532	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	diskperf.exe
PID 1084 wrote to memory of 1532	1084	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	diskperf.exe
PID 1576 wrote to memory of 768	1576	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	explorer.exe
PID 1576 wrote to memory of 768	1576	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	explorer.exe
PID 1576 wrote to memory of 768	1576	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	explorer.exe
PID 1576 wrote to memory of 768	1576	f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe	explorer.exe
PID 768 wrote to memory of 1348	768	explorer.exe	explorer.exe
PID 768 wrote to memory of 1348	768	explorer.exe	explorer.exe
PID 768 wrote to memory of 1348	768	explorer.exe	explorer.exe
PID 768 wrote to memory of 1348	768	explorer.exe	explorer.exe
PID 768 wrote to memory of 1348	768	explorer.exe	explorer.exe
PID 768 wrote to memory of 1348	768	explorer.exe	explorer.exe
PID 768 wrote to memory of 1348	768	explorer.exe	explorer.exe
PID 768 wrote to memory of 1348	768	explorer.exe	explorer.exe
PID 768 wrote to memory of 1348	768	explorer.exe	explorer.exe
PID 768 wrote to memory of 1472	768	explorer.exe	diskperf.exe
PID 768 wrote to memory of 1472	768	explorer.exe	diskperf.exe
PID 768 wrote to memory of 1472	768	explorer.exe	diskperf.exe
PID 768 wrote to memory of 1472	768	explorer.exe	diskperf.exe
PID 768 wrote to memory of 1472	768	explorer.exe	diskperf.exe
PID 768 wrote to memory of 1472	768	explorer.exe	diskperf.exe
PID 1348 wrote to memory of 1052	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 1052	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 1052	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 1052	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 1964	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 1964	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 1964	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 1964	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 956	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 956	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 956	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 956	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 800	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 800	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 800	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 800	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 1612	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 1612	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 1612	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 1612	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 532	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 532	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 532	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 532	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 2008	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 2008	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 2008	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 2008	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 2024	1348	explorer.exe	spoolsv.exe
PID 1348 wrote to memory of 2024	1348	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
"C:\Users\Admin\AppData\Local\Temp\f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe
"C:\Users\Admin\AppData\Local\Temp\f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:768

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3188

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3220

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3240

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3264

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3272

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3300

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3308

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3328

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3344

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3364

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3380

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3400

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3412

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3448

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3468

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3488

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3508

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3524

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3544

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3552

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3572

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3600

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3616

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3636

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3652

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3688

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3716

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3724

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3736

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3752

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3784

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3812

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3832

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3848

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3864

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3912

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3948

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3928

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3960

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4020

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4056

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4064

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4092

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3192

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3208

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1424

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1160

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3312

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3376

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3372

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3380

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3416

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1136

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3448

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3520

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1608

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3580

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3540

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:284

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3648

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3680

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3668

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3692

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3708

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3732

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3756

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3788

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3784

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1144

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1636

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1656

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:968

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1556

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1284

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3972

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1984

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:972

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4064

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:824

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1424

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3360

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3480

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3448

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3492

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3556

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1600

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3648

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3656

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1860

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1228

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3956

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:932

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2028

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2016

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4080

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:992

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1728

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3348

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1424

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3480

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1480

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:320

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3656

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1564

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:328

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3844

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2060

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3956

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4008

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3228

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1472

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1532

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
c5b5e7134d28f77190b35cd98c2779ba

SHA1
df6538b2f1527afe8ff473387de959543ba02253

SHA256
f55855edf538a97151d3ca12938d3ba8ab517f01c5daeccf4a8e5b1662c40191

SHA512
5a6e3dc41a15b658ed849d8ab18ae07b0d650f5263485ce78ae46bc1f81ef893c54bb4da4cf451e7d189e9881de240722e29cff19144e6ac7d6d7cdb6fe418c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
a58e370a3d70a9a55b83d7cdffb2baf3

SHA1
f8ce72c540e31debcb5d8625b41819559818047f

SHA256
aae5f542756f866264da013392cebaf13a8c4e9b162bebb7c68bacbd379394dd

SHA512
8ddcda27959a50c656932f3a5f5b4a1c4b719acf94f6978ce918a71c604a9b0843cf67f16ef6e6b4cdedea5dcf4888f2bab60c687af6dda74f3135d49f5574f6

Download Submit
C:\Windows\system\explorer.exe
MD5
a58e370a3d70a9a55b83d7cdffb2baf3

SHA1
f8ce72c540e31debcb5d8625b41819559818047f

SHA256
aae5f542756f866264da013392cebaf13a8c4e9b162bebb7c68bacbd379394dd

SHA512
8ddcda27959a50c656932f3a5f5b4a1c4b719acf94f6978ce918a71c604a9b0843cf67f16ef6e6b4cdedea5dcf4888f2bab60c687af6dda74f3135d49f5574f6

Download Submit
C:\Windows\system\explorer.exe
MD5
a58e370a3d70a9a55b83d7cdffb2baf3

SHA1
f8ce72c540e31debcb5d8625b41819559818047f

SHA256
aae5f542756f866264da013392cebaf13a8c4e9b162bebb7c68bacbd379394dd

SHA512
8ddcda27959a50c656932f3a5f5b4a1c4b719acf94f6978ce918a71c604a9b0843cf67f16ef6e6b4cdedea5dcf4888f2bab60c687af6dda74f3135d49f5574f6

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\??\c:\windows\system\explorer.exe
MD5
a58e370a3d70a9a55b83d7cdffb2baf3

SHA1
f8ce72c540e31debcb5d8625b41819559818047f

SHA256
aae5f542756f866264da013392cebaf13a8c4e9b162bebb7c68bacbd379394dd

SHA512
8ddcda27959a50c656932f3a5f5b4a1c4b719acf94f6978ce918a71c604a9b0843cf67f16ef6e6b4cdedea5dcf4888f2bab60c687af6dda74f3135d49f5574f6

Download Submit
\Windows\system\explorer.exe
MD5
a58e370a3d70a9a55b83d7cdffb2baf3

SHA1
f8ce72c540e31debcb5d8625b41819559818047f

SHA256
aae5f542756f866264da013392cebaf13a8c4e9b162bebb7c68bacbd379394dd

SHA512
8ddcda27959a50c656932f3a5f5b4a1c4b719acf94f6978ce918a71c604a9b0843cf67f16ef6e6b4cdedea5dcf4888f2bab60c687af6dda74f3135d49f5574f6

Download Submit
\Windows\system\explorer.exe
MD5
a58e370a3d70a9a55b83d7cdffb2baf3

SHA1
f8ce72c540e31debcb5d8625b41819559818047f

SHA256
aae5f542756f866264da013392cebaf13a8c4e9b162bebb7c68bacbd379394dd

SHA512
8ddcda27959a50c656932f3a5f5b4a1c4b719acf94f6978ce918a71c604a9b0843cf67f16ef6e6b4cdedea5dcf4888f2bab60c687af6dda74f3135d49f5574f6

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
\Windows\system\spoolsv.exe
MD5
ddf7eaf593273b5220209cc4b7d05b2f

SHA1
db0ff9246a8324da68b7ebe0c12c157913571594

SHA256
178186c1d36da93816b98bb6699f26ac06609e6b0112268c9894c75e046c3129

SHA512
0b00582547712e2ccc3b588c199c22ff5d140db3b2d0100de9a287f86b78900d7187c2de7262012a4739c9072135376619159794470ad48c4384412971aa2818

Download Submit
memory/272-239-0x0000000000000000-mapping.dmp

Download
memory/272-251-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/284-266-0x0000000000000000-mapping.dmp

Download
memory/284-276-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/432-253-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/432-243-0x0000000000000000-mapping.dmp

Download
memory/532-134-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/532-125-0x0000000000000000-mapping.dmp

Download
memory/536-252-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/536-241-0x0000000000000000-mapping.dmp

Download
memory/672-206-0x0000000000000000-mapping.dmp

Download
memory/728-174-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/728-167-0x0000000000000000-mapping.dmp

Download
memory/752-159-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/752-155-0x0000000000000000-mapping.dmp

Download
memory/768-73-0x0000000000000000-mapping.dmp

Download
memory/768-78-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/768-302-0x0000000000000000-mapping.dmp

Download
memory/788-315-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/788-311-0x0000000000000000-mapping.dmp

Download
memory/800-113-0x0000000000000000-mapping.dmp

Download
memory/800-118-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/840-220-0x0000000000000000-mapping.dmp

Download
memory/840-231-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/948-237-0x0000000000000000-mapping.dmp

Download
memory/948-250-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/952-235-0x0000000000000000-mapping.dmp

Download
memory/956-107-0x0000000000000000-mapping.dmp

Download
memory/956-117-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/968-289-0x0000000000000000-mapping.dmp

Download
memory/1052-96-0x0000000000000000-mapping.dmp

Download
memory/1068-309-0x0000000000000000-mapping.dmp

Download
memory/1068-313-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1084-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1084-60-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1100-232-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1100-222-0x0000000000000000-mapping.dmp

Download
memory/1136-258-0x0000000000000000-mapping.dmp

Download
memory/1136-270-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1172-304-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1172-298-0x0000000000000000-mapping.dmp

Download
memory/1176-203-0x0000000000000000-mapping.dmp

Download
memory/1176-211-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1184-274-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1184-268-0x0000000000000000-mapping.dmp

Download
memory/1196-228-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1196-214-0x0000000000000000-mapping.dmp

Download
memory/1216-273-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1216-262-0x0000000000000000-mapping.dmp

Download
memory/1256-281-0x0000000000000000-mapping.dmp

Download
memory/1256-293-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1276-287-0x0000000000000000-mapping.dmp

Download
memory/1348-81-0x0000000000403670-mapping.dmp

Download
memory/1368-300-0x0000000000000000-mapping.dmp

Download
memory/1368-306-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1472-86-0x0000000000411000-mapping.dmp

Download
memory/1476-254-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1476-245-0x0000000000000000-mapping.dmp

Download
memory/1524-269-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1524-256-0x0000000000000000-mapping.dmp

Download
memory/1532-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1532-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1532-67-0x0000000000411000-mapping.dmp

Download
memory/1536-301-0x0000000000000000-mapping.dmp

Download
memory/1540-191-0x0000000000000000-mapping.dmp

Download
memory/1540-198-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1544-162-0x0000000000000000-mapping.dmp

Download
memory/1556-297-0x0000000000000000-mapping.dmp

Download
memory/1560-260-0x0000000000000000-mapping.dmp

Download
memory/1568-173-0x0000000000000000-mapping.dmp

Download
memory/1576-76-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1576-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1576-63-0x0000000000403670-mapping.dmp

Download
memory/1596-292-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1596-279-0x0000000000000000-mapping.dmp

Download
memory/1612-133-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1612-120-0x0000000000000000-mapping.dmp

Download
memory/1632-224-0x0000000000000000-mapping.dmp

Download
memory/1632-233-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1636-285-0x0000000000000000-mapping.dmp

Download
memory/1640-158-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1640-150-0x0000000000000000-mapping.dmp

Download
memory/1648-277-0x0000000000000000-mapping.dmp

Download
memory/1660-179-0x0000000000000000-mapping.dmp

Download
memory/1660-186-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1668-283-0x0000000000000000-mapping.dmp

Download
memory/1680-147-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1680-143-0x0000000000000000-mapping.dmp

Download
memory/1688-213-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1688-208-0x0000000000000000-mapping.dmp

Download
memory/1704-229-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1704-216-0x0000000000000000-mapping.dmp

Download
memory/1752-310-0x0000000000000000-mapping.dmp

Download
memory/1824-247-0x0000000000000000-mapping.dmp

Download
memory/1852-312-0x0000000000000000-mapping.dmp

Download
memory/1912-196-0x0000000000000000-mapping.dmp

Download
memory/1912-210-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1924-197-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1924-185-0x0000000000000000-mapping.dmp

Download
memory/1932-264-0x0000000000000000-mapping.dmp

Download
memory/1948-299-0x0000000000000000-mapping.dmp

Download
memory/1948-305-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1964-108-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1964-101-0x0000000000000000-mapping.dmp

Download
memory/2000-226-0x0000000000000000-mapping.dmp

Download
memory/2000-234-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2008-130-0x0000000000000000-mapping.dmp

Download
memory/2008-135-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2012-230-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2012-218-0x0000000000000000-mapping.dmp

Download
memory/2024-146-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2024-138-0x0000000000000000-mapping.dmp

Download