warzonerat | dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45

Analysis

max time kernel
151s
max time network
12s
platform
windows7_x64
resource
win7v20210408
submitted
04-05-2021 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
Size

1.8MB
MD5

c1ad5f2ef3adc0df53f806aae1b0429b
SHA1

2f132de302815f8eb4d5b0595d15c3728144d84a
SHA256

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45
SHA512

7c0013dddb9bb01ea2bc0a72492e2df754c9a6ca9b08eb3a7171eb79a3e090107503947ded8dd92f9143719b2b9f3facabaab4bd39a7e5ab476ad5232c658d96

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
976	explorer.exe
1620	explorer.exe
1464	spoolsv.exe
1484	spoolsv.exe
596	spoolsv.exe
1916	spoolsv.exe
288	spoolsv.exe
1600	spoolsv.exe
1952	spoolsv.exe
1932	spoolsv.exe
1404	spoolsv.exe
1844	spoolsv.exe
2020	spoolsv.exe
660	spoolsv.exe
760	spoolsv.exe
1492	spoolsv.exe
1548	spoolsv.exe
1084	spoolsv.exe
1204	spoolsv.exe
552	spoolsv.exe
884	spoolsv.exe
924	spoolsv.exe
1832	spoolsv.exe
1684	spoolsv.exe
1608	spoolsv.exe
1840	spoolsv.exe
1676	spoolsv.exe
1892	spoolsv.exe
1972	spoolsv.exe
1976	spoolsv.exe
1424	spoolsv.exe
944	spoolsv.exe
844	spoolsv.exe
1176	spoolsv.exe
524	spoolsv.exe
1108	spoolsv.exe
464	spoolsv.exe
652	spoolsv.exe
1076	spoolsv.exe
1740	spoolsv.exe
1760	spoolsv.exe
976	spoolsv.exe
1748	spoolsv.exe
968	spoolsv.exe
2032	spoolsv.exe
576	spoolsv.exe
1968	spoolsv.exe
948	spoolsv.exe
1900	spoolsv.exe
1416	spoolsv.exe
1296	spoolsv.exe
860	spoolsv.exe
1460	spoolsv.exe
640	spoolsv.exe
1836	spoolsv.exe
1636	spoolsv.exe
1016	spoolsv.exe
1708	spoolsv.exe
856	spoolsv.exe
1536	spoolsv.exe
1680	spoolsv.exe
1700	spoolsv.exe
1572	spoolsv.exe
1348	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exeexplorer.exe

pid	process
1460	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
1460	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe

Adds Run key to start application 2 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 56 IoCs

Processes:

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 684 set thread context of 1460	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 684 set thread context of 1360	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	diskperf.exe
PID 976 set thread context of 1620	976	explorer.exe	explorer.exe
PID 976 set thread context of 1020	976	explorer.exe	diskperf.exe
PID 1464 set thread context of 3380	1464	spoolsv.exe	spoolsv.exe
PID 1464 set thread context of 3396	1464	spoolsv.exe	diskperf.exe
PID 1484 set thread context of 3444	1484	spoolsv.exe	spoolsv.exe
PID 1484 set thread context of 3452	1484	spoolsv.exe	diskperf.exe
PID 596 set thread context of 3472	596	spoolsv.exe	spoolsv.exe
PID 596 set thread context of 3480	596	spoolsv.exe	diskperf.exe
PID 1916 set thread context of 3508	1916	spoolsv.exe	spoolsv.exe
PID 1916 set thread context of 3532	1916	spoolsv.exe	diskperf.exe
PID 288 set thread context of 3540	288	spoolsv.exe	spoolsv.exe
PID 288 set thread context of 3548	288	spoolsv.exe	diskperf.exe
PID 1600 set thread context of 3576	1600	spoolsv.exe	spoolsv.exe
PID 1600 set thread context of 3584	1600	spoolsv.exe	diskperf.exe
PID 1952 set thread context of 3608	1952	spoolsv.exe	spoolsv.exe
PID 1952 set thread context of 3616	1952	spoolsv.exe	diskperf.exe
PID 1932 set thread context of 3644	1932	spoolsv.exe	spoolsv.exe
PID 1932 set thread context of 3652	1932	spoolsv.exe	diskperf.exe
PID 1404 set thread context of 3680	1404	spoolsv.exe	spoolsv.exe
PID 1404 set thread context of 3688	1404	spoolsv.exe	diskperf.exe
PID 1844 set thread context of 3708	1844	spoolsv.exe	spoolsv.exe
PID 1844 set thread context of 3716	1844	spoolsv.exe	diskperf.exe
PID 2020 set thread context of 3748	2020	spoolsv.exe	spoolsv.exe
PID 2020 set thread context of 3756	2020	spoolsv.exe	diskperf.exe
PID 660 set thread context of 3784	660	spoolsv.exe	spoolsv.exe
PID 660 set thread context of 3792	660	spoolsv.exe	diskperf.exe
PID 760 set thread context of 3816	760	spoolsv.exe	spoolsv.exe
PID 760 set thread context of 3824	760	spoolsv.exe	diskperf.exe
PID 1492 set thread context of 3852	1492	spoolsv.exe	spoolsv.exe
PID 1492 set thread context of 3860	1492	spoolsv.exe	diskperf.exe
PID 1548 set thread context of 3888	1548	spoolsv.exe	spoolsv.exe
PID 1548 set thread context of 3896	1548	spoolsv.exe	diskperf.exe
PID 1084 set thread context of 3880	1084	spoolsv.exe	spoolsv.exe
PID 1084 set thread context of 3904	1084	spoolsv.exe	diskperf.exe
PID 1204 set thread context of 3928	1204	spoolsv.exe	spoolsv.exe
PID 1204 set thread context of 3936	1204	spoolsv.exe	diskperf.exe
PID 552 set thread context of 3960	552	spoolsv.exe	spoolsv.exe
PID 552 set thread context of 3968	552	spoolsv.exe	diskperf.exe
PID 884 set thread context of 3988	884	spoolsv.exe	spoolsv.exe
PID 884 set thread context of 3996	884	spoolsv.exe	diskperf.exe
PID 924 set thread context of 4024	924	spoolsv.exe	spoolsv.exe
PID 924 set thread context of 4032	924	spoolsv.exe	diskperf.exe
PID 1684 set thread context of 4052	1684	spoolsv.exe	spoolsv.exe
PID 1832 set thread context of 4080	1832	spoolsv.exe	spoolsv.exe
PID 1684 set thread context of 4060	1684	spoolsv.exe	diskperf.exe
PID 1840 set thread context of 1888	1840	spoolsv.exe	diskperf.exe
PID 1832 set thread context of 4088	1832	spoolsv.exe	diskperf.exe
PID 1608 set thread context of 1520	1608	spoolsv.exe	spoolsv.exe
PID 1840 set thread context of 1056	1840	spoolsv.exe	diskperf.exe
PID 1608 set thread context of 3416	1608	spoolsv.exe	diskperf.exe
PID 1892 set thread context of 3384	1892	spoolsv.exe	spoolsv.exe
PID 1676 set thread context of 1088	1676	spoolsv.exe	diskperf.exe
PID 1892 set thread context of 3448	1892	spoolsv.exe	diskperf.exe
PID 1676 set thread context of 3496	1676	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exeexplorer.exe

pid	process
1460	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1620 explorer.exe

pid	process
1620	explorer.exe

Suspicious use of SetWindowsHookEx 58 IoCs

Processes:

pid	process
1460	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
1460	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
1620	explorer.exe
3380	spoolsv.exe
3380	spoolsv.exe
3444	spoolsv.exe
3444	spoolsv.exe
3472	spoolsv.exe
3472	spoolsv.exe
3508	spoolsv.exe
3508	spoolsv.exe
3540	spoolsv.exe
3540	spoolsv.exe
3576	spoolsv.exe
3576	spoolsv.exe
3608	spoolsv.exe
3608	spoolsv.exe
3644	spoolsv.exe
3644	spoolsv.exe
3680	spoolsv.exe
3680	spoolsv.exe
3708	spoolsv.exe
3708	spoolsv.exe
3748	spoolsv.exe
3748	spoolsv.exe
3784	spoolsv.exe
3784	spoolsv.exe
3816	spoolsv.exe
3816	spoolsv.exe
3852	spoolsv.exe
3852	spoolsv.exe
3888	spoolsv.exe
3880	spoolsv.exe
3888	spoolsv.exe
3880	spoolsv.exe
3928	spoolsv.exe
3928	spoolsv.exe
3960	spoolsv.exe
3960	spoolsv.exe
3988	spoolsv.exe
3988	spoolsv.exe
4024	spoolsv.exe
4024	spoolsv.exe
4052	spoolsv.exe
4052	spoolsv.exe
4080	spoolsv.exe
4080	spoolsv.exe
1888	diskperf.exe
1888	diskperf.exe
1520	spoolsv.exe
1520	spoolsv.exe
3384	spoolsv.exe
1088	diskperf.exe
3384	spoolsv.exe
1088	diskperf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exedd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 684 wrote to memory of 1460	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 684 wrote to memory of 1460	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 684 wrote to memory of 1460	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 684 wrote to memory of 1460	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 684 wrote to memory of 1460	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 684 wrote to memory of 1460	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 684 wrote to memory of 1460	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 684 wrote to memory of 1460	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 684 wrote to memory of 1460	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 684 wrote to memory of 1360	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	diskperf.exe
PID 684 wrote to memory of 1360	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	diskperf.exe
PID 684 wrote to memory of 1360	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	diskperf.exe
PID 684 wrote to memory of 1360	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	diskperf.exe
PID 684 wrote to memory of 1360	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	diskperf.exe
PID 684 wrote to memory of 1360	684	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	diskperf.exe
PID 1460 wrote to memory of 976	1460	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	explorer.exe
PID 1460 wrote to memory of 976	1460	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	explorer.exe
PID 1460 wrote to memory of 976	1460	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	explorer.exe
PID 1460 wrote to memory of 976	1460	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	explorer.exe
PID 976 wrote to memory of 1620	976	explorer.exe	explorer.exe
PID 976 wrote to memory of 1620	976	explorer.exe	explorer.exe
PID 976 wrote to memory of 1620	976	explorer.exe	explorer.exe
PID 976 wrote to memory of 1620	976	explorer.exe	explorer.exe
PID 976 wrote to memory of 1620	976	explorer.exe	explorer.exe
PID 976 wrote to memory of 1620	976	explorer.exe	explorer.exe
PID 976 wrote to memory of 1620	976	explorer.exe	explorer.exe
PID 976 wrote to memory of 1620	976	explorer.exe	explorer.exe
PID 976 wrote to memory of 1620	976	explorer.exe	explorer.exe
PID 976 wrote to memory of 1020	976	explorer.exe	diskperf.exe
PID 976 wrote to memory of 1020	976	explorer.exe	diskperf.exe
PID 976 wrote to memory of 1020	976	explorer.exe	diskperf.exe
PID 976 wrote to memory of 1020	976	explorer.exe	diskperf.exe
PID 976 wrote to memory of 1020	976	explorer.exe	diskperf.exe
PID 976 wrote to memory of 1020	976	explorer.exe	diskperf.exe
PID 1620 wrote to memory of 1464	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1464	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1464	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1464	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1484	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1484	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1484	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1484	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 596	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 596	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 596	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 596	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1916	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1916	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1916	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1916	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 288	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 288	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 288	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 288	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1600	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1600	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1600	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1600	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1952	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1952	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1952	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1952	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1932	1620	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 1932	1620	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
"C:\Users\Admin\AppData\Local\Temp\dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\Temp\dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
"C:\Users\Admin\AppData\Local\Temp\dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:976

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3380

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3436

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3444

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3464

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3472

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3500

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3508

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3520

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3540

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3576

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3608

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3628

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3644

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3664

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3680

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3700

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3708

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3728

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3748

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3776

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3784

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3816

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3836

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3852

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3872

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3880

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3928

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3948

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3960

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3988

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4008

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4024

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4044

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4080

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4052

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4072

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1520

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1088

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3384

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3492

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1424

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1604

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1928

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3676

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1176

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:524

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3800

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1072

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3856

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3816

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3932

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1036

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:968

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4056

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:316

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:576

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1896

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3488

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3576

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1504

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:768

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4052

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1460

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1080

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1836

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3956

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3944

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1584

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3592

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:268

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3676

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1516

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1096

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1924

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:684

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3576

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1524

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1632

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1428

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3924

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:972

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1356

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1992

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4116

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4132

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4140

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3428

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1360

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:2008

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:368

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
c1ad5f2ef3adc0df53f806aae1b0429b

SHA1
2f132de302815f8eb4d5b0595d15c3728144d84a

SHA256
dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45

SHA512
7c0013dddb9bb01ea2bc0a72492e2df754c9a6ca9b08eb3a7171eb79a3e090107503947ded8dd92f9143719b2b9f3facabaab4bd39a7e5ab476ad5232c658d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
9b16d091e6a233bfd68558add11fca67

SHA1
6fa0184c612df36d46b61974af538ebe1a37e4e5

SHA256
116e9545ecaf2c9380fdb29a9149661f2048f1a2d50c3883692c52f2472849bc

SHA512
bfdca1468fba05cab02d1f9bd3ed5c11b4946812c91f001ec31fa7447cf50f671808a9cce6f727e0f735b9b7cf311902e552ee22120f9c94f392c692cf37db75

Download Submit
C:\Windows\system\explorer.exe
MD5
9b16d091e6a233bfd68558add11fca67

SHA1
6fa0184c612df36d46b61974af538ebe1a37e4e5

SHA256
116e9545ecaf2c9380fdb29a9149661f2048f1a2d50c3883692c52f2472849bc

SHA512
bfdca1468fba05cab02d1f9bd3ed5c11b4946812c91f001ec31fa7447cf50f671808a9cce6f727e0f735b9b7cf311902e552ee22120f9c94f392c692cf37db75

Download Submit
C:\Windows\system\explorer.exe
MD5
9b16d091e6a233bfd68558add11fca67

SHA1
6fa0184c612df36d46b61974af538ebe1a37e4e5

SHA256
116e9545ecaf2c9380fdb29a9149661f2048f1a2d50c3883692c52f2472849bc

SHA512
bfdca1468fba05cab02d1f9bd3ed5c11b4946812c91f001ec31fa7447cf50f671808a9cce6f727e0f735b9b7cf311902e552ee22120f9c94f392c692cf37db75

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\??\c:\windows\system\explorer.exe
MD5
9b16d091e6a233bfd68558add11fca67

SHA1
6fa0184c612df36d46b61974af538ebe1a37e4e5

SHA256
116e9545ecaf2c9380fdb29a9149661f2048f1a2d50c3883692c52f2472849bc

SHA512
bfdca1468fba05cab02d1f9bd3ed5c11b4946812c91f001ec31fa7447cf50f671808a9cce6f727e0f735b9b7cf311902e552ee22120f9c94f392c692cf37db75

Download Submit
\Windows\system\explorer.exe
MD5
9b16d091e6a233bfd68558add11fca67

SHA1
6fa0184c612df36d46b61974af538ebe1a37e4e5

SHA256
116e9545ecaf2c9380fdb29a9149661f2048f1a2d50c3883692c52f2472849bc

SHA512
bfdca1468fba05cab02d1f9bd3ed5c11b4946812c91f001ec31fa7447cf50f671808a9cce6f727e0f735b9b7cf311902e552ee22120f9c94f392c692cf37db75

Download Submit
\Windows\system\explorer.exe
MD5
9b16d091e6a233bfd68558add11fca67

SHA1
6fa0184c612df36d46b61974af538ebe1a37e4e5

SHA256
116e9545ecaf2c9380fdb29a9149661f2048f1a2d50c3883692c52f2472849bc

SHA512
bfdca1468fba05cab02d1f9bd3ed5c11b4946812c91f001ec31fa7447cf50f671808a9cce6f727e0f735b9b7cf311902e552ee22120f9c94f392c692cf37db75

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
\Windows\system\spoolsv.exe
MD5
9c1b0dda9146c27c4c7dbed8c38c04d2

SHA1
7c863e25193ecc7045913452b29b2fb88f89223c

SHA256
990581ff16c387f7de5e8b20ca90b962ae5684bf2744e5460849404a75b0c007

SHA512
890a610304b50fa761542c3c45108bc76ab74495abf03accf65f2d7b6c6876ab96373c00f37ea595ddb32f8fbf12d0205f55d62986f33493912b57612586b10c

Download Submit
memory/288-119-0x0000000000000000-mapping.dmp

Download
memory/288-126-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/464-257-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/464-247-0x0000000000000000-mapping.dmp

Download
memory/524-255-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/524-243-0x0000000000000000-mapping.dmp

Download
memory/552-198-0x0000000000000000-mapping.dmp

Download
memory/576-273-0x0000000000000000-mapping.dmp

Download
memory/576-282-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/596-107-0x0000000000000000-mapping.dmp

Download
memory/596-114-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/640-294-0x0000000000000000-mapping.dmp

Download
memory/640-296-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/652-258-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/652-249-0x0000000000000000-mapping.dmp

Download
memory/660-161-0x0000000000000000-mapping.dmp

Download
memory/660-168-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/684-61-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/684-60-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download
memory/760-181-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/760-166-0x0000000000000000-mapping.dmp

Download
memory/844-239-0x0000000000000000-mapping.dmp

Download
memory/856-315-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/856-307-0x0000000000000000-mapping.dmp

Download
memory/860-292-0x0000000000000000-mapping.dmp

Download
memory/860-301-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/884-203-0x0000000000000000-mapping.dmp

Download
memory/924-210-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/924-206-0x0000000000000000-mapping.dmp

Download
memory/944-237-0x0000000000000000-mapping.dmp

Download
memory/948-285-0x0000000000000000-mapping.dmp

Download
memory/948-297-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/968-269-0x0000000000000000-mapping.dmp

Download
memory/976-74-0x0000000000000000-mapping.dmp

Download
memory/976-265-0x0000000000000000-mapping.dmp

Download
memory/1016-305-0x0000000000000000-mapping.dmp

Download
memory/1020-86-0x0000000000411000-mapping.dmp

Download
memory/1076-275-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1076-259-0x0000000000000000-mapping.dmp

Download
memory/1084-186-0x0000000000000000-mapping.dmp

Download
memory/1084-194-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1108-245-0x0000000000000000-mapping.dmp

Download
memory/1108-256-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1176-254-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1176-241-0x0000000000000000-mapping.dmp

Download
memory/1204-191-0x0000000000000000-mapping.dmp

Download
memory/1204-195-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1296-300-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1296-291-0x0000000000000000-mapping.dmp

Download
memory/1360-70-0x0000000000411000-mapping.dmp

Download
memory/1360-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1360-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1404-153-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1404-143-0x0000000000000000-mapping.dmp

Download
memory/1416-289-0x0000000000000000-mapping.dmp

Download
memory/1416-299-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1424-235-0x0000000000000000-mapping.dmp

Download
memory/1460-63-0x0000000000403670-mapping.dmp

Download
memory/1460-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1460-293-0x0000000000000000-mapping.dmp

Download
memory/1460-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1464-99-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1464-96-0x0000000000000000-mapping.dmp

Download
memory/1484-111-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1484-102-0x0000000000000000-mapping.dmp

Download
memory/1492-173-0x0000000000000000-mapping.dmp

Download
memory/1536-308-0x0000000000000000-mapping.dmp

Download
memory/1548-183-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1548-178-0x0000000000000000-mapping.dmp

Download
memory/1600-124-0x0000000000000000-mapping.dmp

Download
memory/1608-215-0x0000000000000000-mapping.dmp

Download
memory/1620-81-0x0000000000403670-mapping.dmp

Download
memory/1636-304-0x0000000000000000-mapping.dmp

Download
memory/1636-311-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1676-219-0x0000000000000000-mapping.dmp

Download
memory/1676-232-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1680-309-0x0000000000000000-mapping.dmp

Download
memory/1684-229-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1684-213-0x0000000000000000-mapping.dmp

Download
memory/1700-312-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1708-306-0x0000000000000000-mapping.dmp

Download
memory/1740-276-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1740-261-0x0000000000000000-mapping.dmp

Download
memory/1748-267-0x0000000000000000-mapping.dmp

Download
memory/1748-279-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1760-263-0x0000000000000000-mapping.dmp

Download
memory/1832-211-0x0000000000000000-mapping.dmp

Download
memory/1832-227-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1836-303-0x0000000000000000-mapping.dmp

Download
memory/1836-310-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1840-217-0x0000000000000000-mapping.dmp

Download
memory/1840-231-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1844-148-0x0000000000000000-mapping.dmp

Download
memory/1844-156-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1892-221-0x0000000000000000-mapping.dmp

Download
memory/1892-233-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1900-287-0x0000000000000000-mapping.dmp

Download
memory/1900-298-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1916-125-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1916-113-0x0000000000000000-mapping.dmp

Download
memory/1932-152-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1932-136-0x0000000000000000-mapping.dmp

Download
memory/1952-131-0x0000000000000000-mapping.dmp

Download
memory/1968-295-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1968-283-0x0000000000000000-mapping.dmp

Download
memory/1972-223-0x0000000000000000-mapping.dmp

Download
memory/1972-234-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1976-228-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1976-225-0x0000000000000000-mapping.dmp

Download
memory/2020-155-0x0000000000000000-mapping.dmp

Download
memory/2020-167-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2032-281-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2032-271-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads