warzonerat | 7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8

Analysis

max time kernel
150s
max time network
114s
platform
windows10_x64
resource
win10v20210410
submitted
04-05-2021 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
Size

1.8MB
MD5

d65a8c7050ccfe518ca69538bbf70f91
SHA1

a67f3acfd14d2092f80ade30245dcef6a8d29634
SHA256

7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8
SHA512

57d739244d8db58415f8fa558da2de51ca371b37d2c3380e34e466be3a7e2d796ef485e8f4d28f9e285cc6358216be51ca792ff4987dce79673bcf61b08b5b92

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1332	explorer.exe
2180	explorer.exe
188	spoolsv.exe
2192	spoolsv.exe
2660	spoolsv.exe
2724	spoolsv.exe
3520	spoolsv.exe
2760	spoolsv.exe
2624	spoolsv.exe
3840	spoolsv.exe
3336	spoolsv.exe
640	spoolsv.exe
3212	spoolsv.exe
2096	spoolsv.exe
348	spoolsv.exe
4068	spoolsv.exe
2188	spoolsv.exe
2264	spoolsv.exe
3920	spoolsv.exe
584	spoolsv.exe
2964	spoolsv.exe
2012	spoolsv.exe
912	spoolsv.exe
3048	spoolsv.exe
3296	spoolsv.exe
3856	spoolsv.exe
1296	spoolsv.exe
3836	spoolsv.exe
3500	spoolsv.exe
3064	spoolsv.exe
2636	spoolsv.exe
1976	spoolsv.exe
2216	spoolsv.exe
2060	spoolsv.exe
3616	spoolsv.exe
1628	spoolsv.exe
2340	spoolsv.exe
580	spoolsv.exe
2336	spoolsv.exe
2868	spoolsv.exe
3644	spoolsv.exe
4076	spoolsv.exe
3764	spoolsv.exe
3924	spoolsv.exe
412	spoolsv.exe
2780	spoolsv.exe
4104	spoolsv.exe
4128	spoolsv.exe
4152	spoolsv.exe
4176	spoolsv.exe
4216	spoolsv.exe
4240	spoolsv.exe
4264	spoolsv.exe
4300	spoolsv.exe
4324	spoolsv.exe
4348	spoolsv.exe
4372	spoolsv.exe
4412	spoolsv.exe
4436	spoolsv.exe
4460	spoolsv.exe
4496	spoolsv.exe
4516	spoolsv.exe
4532	spoolsv.exe
4548	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 43 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 3188 set thread context of 4080	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
PID 3188 set thread context of 2276	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	diskperf.exe
PID 1332 set thread context of 2180	1332	explorer.exe	explorer.exe
PID 1332 set thread context of 1056	1332	explorer.exe	diskperf.exe
PID 188 set thread context of 6752	188	spoolsv.exe	spoolsv.exe
PID 2192 set thread context of 6832	2192	spoolsv.exe	spoolsv.exe
PID 2192 set thread context of 6848	2192	spoolsv.exe	diskperf.exe
PID 2660 set thread context of 6916	2660	spoolsv.exe	spoolsv.exe
PID 2660 set thread context of 6940	2660	spoolsv.exe	diskperf.exe
PID 2724 set thread context of 6980	2724	spoolsv.exe	spoolsv.exe
PID 2724 set thread context of 7004	2724	spoolsv.exe	diskperf.exe
PID 3520 set thread context of 7028	3520	spoolsv.exe	spoolsv.exe
PID 2760 set thread context of 7104	2760	spoolsv.exe	spoolsv.exe
PID 2624 set thread context of 7112	2624	spoolsv.exe	spoolsv.exe
PID 2760 set thread context of 7148	2760	spoolsv.exe	diskperf.exe
PID 3840 set thread context of 3744	3840	spoolsv.exe	spoolsv.exe
PID 3336 set thread context of 4124	3336	spoolsv.exe	spoolsv.exe
PID 3840 set thread context of 6776	3840	spoolsv.exe	diskperf.exe
PID 3336 set thread context of 6840	3336	spoolsv.exe	diskperf.exe
PID 640 set thread context of 6880	640	spoolsv.exe	spoolsv.exe
PID 3212 set thread context of 6828	3212	spoolsv.exe	spoolsv.exe
PID 3212 set thread context of 6956	3212	spoolsv.exe	diskperf.exe
PID 2096 set thread context of 7000	2096	spoolsv.exe	spoolsv.exe
PID 2096 set thread context of 3340	2096	spoolsv.exe	diskperf.exe
PID 348 set thread context of 7072	348	spoolsv.exe	svchost.exe
PID 348 set thread context of 7012	348	spoolsv.exe	diskperf.exe
PID 4068 set thread context of 7096	4068	spoolsv.exe	spoolsv.exe
PID 2188 set thread context of 3748	2188	spoolsv.exe	spoolsv.exe
PID 2188 set thread context of 7116	2188	spoolsv.exe	diskperf.exe
PID 2264 set thread context of 7132	2264	spoolsv.exe	spoolsv.exe
PID 3920 set thread context of 3964	3920	spoolsv.exe	spoolsv.exe
PID 3920 set thread context of 3984	3920	spoolsv.exe	diskperf.exe
PID 584 set thread context of 2880	584	spoolsv.exe	spoolsv.exe
PID 584 set thread context of 2172	584	spoolsv.exe	diskperf.exe
PID 2964 set thread context of 7024	2964	spoolsv.exe	spoolsv.exe
PID 2964 set thread context of 7044	2964	spoolsv.exe	diskperf.exe
PID 2012 set thread context of 4452	2012	spoolsv.exe	spoolsv.exe
PID 912 set thread context of 3444	912	spoolsv.exe	spoolsv.exe
PID 912 set thread context of 3592	912	spoolsv.exe	diskperf.exe
PID 3048 set thread context of 4000	3048	spoolsv.exe	spoolsv.exe
PID 3048 set thread context of 3624	3048	spoolsv.exe	diskperf.exe
PID 3296 set thread context of 4556	3296	spoolsv.exe	svchost.exe
PID 3296 set thread context of 2796	3296	spoolsv.exe	diskperf.exe
PID 3856 set thread context of 3956	3856	spoolsv.exe	spoolsv.exe
PID 3856 set thread context of 4572	3856	spoolsv.exe	diskperf.exe
PID 1296 set thread context of 812	1296	spoolsv.exe	spoolsv.exe
PID 1296 set thread context of 2840	1296	spoolsv.exe	diskperf.exe
PID 3836 set thread context of 6812	3836	spoolsv.exe	spoolsv.exe
PID 3500 set thread context of 1972	3500	spoolsv.exe	spoolsv.exe
PID 3064 set thread context of 3016	3064	spoolsv.exe	spoolsv.exe
PID 3064 set thread context of 644	3064	spoolsv.exe	diskperf.exe
PID 2636 set thread context of 7108	2636	spoolsv.exe	spoolsv.exe
PID 2636 set thread context of 508	2636	spoolsv.exe	diskperf.exe
PID 1976 set thread context of 3772	1976	spoolsv.exe	svchost.exe
PID 1976 set thread context of 1512	1976	spoolsv.exe	diskperf.exe
PID 2216 set thread context of 1516	2216	spoolsv.exe	diskperf.exe
PID 2216 set thread context of 1300	2216	spoolsv.exe	diskperf.exe
PID 2060 set thread context of 3672	2060	spoolsv.exe	svchost.exe
PID 2060 set thread context of 1368	2060	spoolsv.exe	diskperf.exe
PID 3616 set thread context of 1016	3616	spoolsv.exe	spoolsv.exe
PID 3616 set thread context of 7100	3616	spoolsv.exe	diskperf.exe
PID 1628 set thread context of 2120	1628	spoolsv.exe	spoolsv.exe
PID 1628 set thread context of 7140	1628	spoolsv.exe	diskperf.exe
PID 2340 set thread context of 2756	2340	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exeexplorer.exe

pid	process
4080	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
4080	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2180 explorer.exe

pid	process
2180	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exespoolsv.exespoolsv.exediskperf.exespoolsv.exespoolsv.exe

pid	process
4080	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
4080	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
2180	explorer.exe
6752	spoolsv.exe
6752	spoolsv.exe
6832	spoolsv.exe
6832	spoolsv.exe
6916	spoolsv.exe
6916	spoolsv.exe
6980	spoolsv.exe
6980	spoolsv.exe
7028	spoolsv.exe
7028	spoolsv.exe
7112	spoolsv.exe
7104	spoolsv.exe
7112	spoolsv.exe
7104	spoolsv.exe
4124	spoolsv.exe
3744	spoolsv.exe
3744	spoolsv.exe
6880	spoolsv.exe
6880	spoolsv.exe
6828	spoolsv.exe
6828	spoolsv.exe
4124	spoolsv.exe
7000	spoolsv.exe
7000	spoolsv.exe
7072	svchost.exe
7072	svchost.exe
7096	spoolsv.exe
7096	spoolsv.exe
3748	spoolsv.exe
3748	spoolsv.exe
7132	spoolsv.exe
7132	spoolsv.exe
3964	spoolsv.exe
3964	spoolsv.exe
2880	spoolsv.exe
2880	spoolsv.exe
7024	spoolsv.exe
7024	spoolsv.exe
4452	spoolsv.exe
4452	spoolsv.exe
3444	spoolsv.exe
3444	spoolsv.exe
4000	spoolsv.exe
4000	spoolsv.exe
4556	svchost.exe
4556	svchost.exe
3956	spoolsv.exe
3956	spoolsv.exe
812	spoolsv.exe
812	spoolsv.exe
6812	spoolsv.exe
6812	spoolsv.exe
1972	diskperf.exe
1972	diskperf.exe
3016	spoolsv.exe
3016	spoolsv.exe
7108	spoolsv.exe
7108	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3188 wrote to memory of 4080	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
PID 3188 wrote to memory of 4080	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
PID 3188 wrote to memory of 4080	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
PID 3188 wrote to memory of 4080	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
PID 3188 wrote to memory of 4080	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
PID 3188 wrote to memory of 4080	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
PID 3188 wrote to memory of 4080	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
PID 3188 wrote to memory of 4080	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
PID 3188 wrote to memory of 2276	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	diskperf.exe
PID 3188 wrote to memory of 2276	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	diskperf.exe
PID 3188 wrote to memory of 2276	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	diskperf.exe
PID 3188 wrote to memory of 2276	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	diskperf.exe
PID 3188 wrote to memory of 2276	3188	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	diskperf.exe
PID 4080 wrote to memory of 1332	4080	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	explorer.exe
PID 4080 wrote to memory of 1332	4080	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	explorer.exe
PID 4080 wrote to memory of 1332	4080	7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe	explorer.exe
PID 1332 wrote to memory of 2180	1332	explorer.exe	explorer.exe
PID 1332 wrote to memory of 2180	1332	explorer.exe	explorer.exe
PID 1332 wrote to memory of 2180	1332	explorer.exe	explorer.exe
PID 1332 wrote to memory of 2180	1332	explorer.exe	explorer.exe
PID 1332 wrote to memory of 2180	1332	explorer.exe	explorer.exe
PID 1332 wrote to memory of 2180	1332	explorer.exe	explorer.exe
PID 1332 wrote to memory of 2180	1332	explorer.exe	explorer.exe
PID 1332 wrote to memory of 2180	1332	explorer.exe	explorer.exe
PID 1332 wrote to memory of 1056	1332	explorer.exe	diskperf.exe
PID 1332 wrote to memory of 1056	1332	explorer.exe	diskperf.exe
PID 1332 wrote to memory of 1056	1332	explorer.exe	diskperf.exe
PID 1332 wrote to memory of 1056	1332	explorer.exe	diskperf.exe
PID 1332 wrote to memory of 1056	1332	explorer.exe	diskperf.exe
PID 2180 wrote to memory of 188	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 188	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 188	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2192	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2192	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2192	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2660	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2660	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2660	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2724	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2724	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2724	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 3520	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 3520	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 3520	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2760	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2760	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2760	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2624	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2624	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2624	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 3840	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 3840	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 3840	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 3336	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 3336	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 3336	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 640	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 640	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 640	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 3212	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 3212	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 3212	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2096	2180	explorer.exe	spoolsv.exe
PID 2180 wrote to memory of 2096	2180	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
"C:\Users\Admin\AppData\Local\Temp\7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3188

C:\Users\Admin\AppData\Local\Temp\7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe
"C:\Users\Admin\AppData\Local\Temp\7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4080

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1332

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6752

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6832

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2660

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6980

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7052

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7028

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7112

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3744

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6836

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6880

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6828

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7000

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7040

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:7072

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7096

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7064

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3748

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3996

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7132

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4144

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3964

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6892

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2880

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7024

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
- Suspicious use of SetWindowsHookEx
PID:7072

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4452

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7128

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3444

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4524

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4556

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:648

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3956

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:812

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1364

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6812

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7048

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1972

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4476

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:7108

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3772

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
- Suspicious use of SetWindowsHookEx
PID:4556

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1516

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4780

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3672

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4828

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2120

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4636

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2756

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1616

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4716

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4948

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4768

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4996

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3848

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5044

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5092

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5108

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2756

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4140

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2780

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4188

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:812

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1112

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:944

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5044

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4176

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4420

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7108

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3380

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1468

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4112

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4300

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4188

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:812

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4196

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5296

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5132

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4160

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4268

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1516

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4320

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4188

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4344

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5244

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5472

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5148

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5500

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4416

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4428

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4440

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4464

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4188

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4628

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5472

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5660

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5516

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5692

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5712

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5728

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4440

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6860

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1056

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:2276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
d65a8c7050ccfe518ca69538bbf70f91

SHA1
a67f3acfd14d2092f80ade30245dcef6a8d29634

SHA256
7c0b5900a23a59b9d4f8b9fd3a1ab169fddcb41db929da8bd9c50866315077c8

SHA512
57d739244d8db58415f8fa558da2de51ca371b37d2c3380e34e466be3a7e2d796ef485e8f4d28f9e285cc6358216be51ca792ff4987dce79673bcf61b08b5b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
4c97edd4486fe74a48f0562f8fd693cf

SHA1
62d2b1e8349c6107a6bd9efb11e07d493b2ecd03

SHA256
94266dbdc89c01f863283c0282b7f8899a798ac711e413a345a21395b034c61e

SHA512
3333e5b4ef12fb226a7c8e31251bb338c1650a1797cb48afe3f14086605b3162755773c82b88b8a03ccfd4b0bd0ef261723c04f6d73cfb45132a7e7496210ab6

Download Submit
C:\Windows\System\explorer.exe
MD5
4c97edd4486fe74a48f0562f8fd693cf

SHA1
62d2b1e8349c6107a6bd9efb11e07d493b2ecd03

SHA256
94266dbdc89c01f863283c0282b7f8899a798ac711e413a345a21395b034c61e

SHA512
3333e5b4ef12fb226a7c8e31251bb338c1650a1797cb48afe3f14086605b3162755773c82b88b8a03ccfd4b0bd0ef261723c04f6d73cfb45132a7e7496210ab6

Download Submit
C:\Windows\System\explorer.exe
MD5
4c97edd4486fe74a48f0562f8fd693cf

SHA1
62d2b1e8349c6107a6bd9efb11e07d493b2ecd03

SHA256
94266dbdc89c01f863283c0282b7f8899a798ac711e413a345a21395b034c61e

SHA512
3333e5b4ef12fb226a7c8e31251bb338c1650a1797cb48afe3f14086605b3162755773c82b88b8a03ccfd4b0bd0ef261723c04f6d73cfb45132a7e7496210ab6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
\??\c:\windows\system\explorer.exe
MD5
4c97edd4486fe74a48f0562f8fd693cf

SHA1
62d2b1e8349c6107a6bd9efb11e07d493b2ecd03

SHA256
94266dbdc89c01f863283c0282b7f8899a798ac711e413a345a21395b034c61e

SHA512
3333e5b4ef12fb226a7c8e31251bb338c1650a1797cb48afe3f14086605b3162755773c82b88b8a03ccfd4b0bd0ef261723c04f6d73cfb45132a7e7496210ab6

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
b7abad442395ccebd9209c029fcf6a43

SHA1
b37be76923e5ab4a083bc0212b179a83ce06ba4f

SHA256
c2956c8640afa8a1f0feb189abbc9a63ec92882d28930eef16abef2ce8ae3283

SHA512
217bc3f01f6dd236ae476afcaff267851a0edb6caf50444251f3165e1ee5c099266c610d1b41d91333af265de47c91d5b122fcc8ba1788c84bab32ed293000f6

Download Submit
memory/188-151-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/188-144-0x0000000000000000-mapping.dmp

Download
memory/348-180-0x0000000000000000-mapping.dmp

Download
memory/412-276-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/412-269-0x0000000000000000-mapping.dmp

Download
memory/580-247-0x0000000000000000-mapping.dmp

Download
memory/580-250-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/584-198-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/584-193-0x0000000000000000-mapping.dmp

Download
memory/640-170-0x0000000000000000-mapping.dmp

Download
memory/640-177-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/912-203-0x0000000000000000-mapping.dmp

Download
memory/912-210-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1056-137-0x0000000000411000-mapping.dmp

Download
memory/1296-219-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/1296-215-0x0000000000000000-mapping.dmp

Download
memory/1332-129-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1332-126-0x0000000000000000-mapping.dmp

Download
memory/1628-243-0x0000000000000000-mapping.dmp

Download
memory/1628-251-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1976-238-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1976-232-0x0000000000000000-mapping.dmp

Download
memory/2012-201-0x0000000000000000-mapping.dmp

Download
memory/2012-209-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2060-240-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/2060-236-0x0000000000000000-mapping.dmp

Download
memory/2096-184-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2096-178-0x0000000000000000-mapping.dmp

Download
memory/2180-131-0x0000000000403670-mapping.dmp

Download
memory/2188-195-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2188-187-0x0000000000000000-mapping.dmp

Download
memory/2192-153-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2192-147-0x0000000000000000-mapping.dmp

Download
memory/2216-239-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2216-234-0x0000000000000000-mapping.dmp

Download
memory/2264-189-0x0000000000000000-mapping.dmp

Download
memory/2264-196-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/2276-122-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2276-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2276-118-0x0000000000411000-mapping.dmp

Download
memory/2336-253-0x0000000000000000-mapping.dmp

Download
memory/2336-259-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2340-252-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2340-245-0x0000000000000000-mapping.dmp

Download
memory/2624-163-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2624-160-0x0000000000000000-mapping.dmp

Download
memory/2636-229-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2636-226-0x0000000000000000-mapping.dmp

Download
memory/2660-152-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2660-149-0x0000000000000000-mapping.dmp

Download
memory/2724-154-0x0000000000000000-mapping.dmp

Download
memory/2760-165-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2760-158-0x0000000000000000-mapping.dmp

Download
memory/2780-271-0x0000000000000000-mapping.dmp

Download
memory/2780-274-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2868-255-0x0000000000000000-mapping.dmp

Download
memory/2868-261-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2964-207-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2964-199-0x0000000000000000-mapping.dmp

Download
memory/3048-205-0x0000000000000000-mapping.dmp

Download
memory/3048-208-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/3064-224-0x0000000000000000-mapping.dmp

Download
memory/3064-231-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/3188-114-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/3212-175-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3212-172-0x0000000000000000-mapping.dmp

Download
memory/3296-211-0x0000000000000000-mapping.dmp

Download
memory/3296-217-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3336-168-0x0000000000000000-mapping.dmp

Download
memory/3336-176-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3500-222-0x0000000000000000-mapping.dmp

Download
memory/3500-230-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3520-156-0x0000000000000000-mapping.dmp

Download
memory/3520-164-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3616-249-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3616-241-0x0000000000000000-mapping.dmp

Download
memory/3644-263-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/3644-257-0x0000000000000000-mapping.dmp

Download
memory/3764-265-0x0000000000000000-mapping.dmp

Download
memory/3764-273-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3836-220-0x0000000000000000-mapping.dmp

Download
memory/3836-228-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3840-174-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/3840-166-0x0000000000000000-mapping.dmp

Download
memory/3856-213-0x0000000000000000-mapping.dmp

Download
memory/3856-218-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/3920-191-0x0000000000000000-mapping.dmp

Download
memory/3920-197-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3924-275-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/3924-267-0x0000000000000000-mapping.dmp

Download
memory/4068-182-0x0000000000000000-mapping.dmp

Download
memory/4068-186-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4076-264-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4076-260-0x0000000000000000-mapping.dmp

Download
memory/4080-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4080-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4080-116-0x0000000000403670-mapping.dmp

Download
memory/4104-277-0x0000000000000000-mapping.dmp

Download
memory/4104-285-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4128-287-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4128-279-0x0000000000000000-mapping.dmp

Download
memory/4152-288-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/4152-281-0x0000000000000000-mapping.dmp

Download
memory/4176-286-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4176-283-0x0000000000000000-mapping.dmp

Download
memory/4216-289-0x0000000000000000-mapping.dmp

Download
memory/4216-295-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4240-291-0x0000000000000000-mapping.dmp

Download
memory/4240-296-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4264-297-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4264-293-0x0000000000000000-mapping.dmp

Download
memory/4300-298-0x0000000000000000-mapping.dmp

Download
memory/4300-306-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/4324-300-0x0000000000000000-mapping.dmp

Download
memory/4324-308-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4348-309-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4348-302-0x0000000000000000-mapping.dmp

Download
memory/4372-304-0x0000000000000000-mapping.dmp

Download
memory/4372-307-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4412-310-0x0000000000000000-mapping.dmp

Download
memory/4412-316-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4436-312-0x0000000000000000-mapping.dmp

Download
memory/4436-317-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4460-314-0x0000000000000000-mapping.dmp

Download
memory/4460-318-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4496-319-0x0000000000000000-mapping.dmp

Download