warzonerat | 762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272

Analysis

max time kernel
144s
max time network
103s
platform
windows7_x64
resource
win7v20210408
submitted
04-05-2021 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
Size

1.8MB
MD5

eab132251e5464f1ae1f8478d047058b
SHA1

abaae5a3a6f893c9b9843a28d380bc5650363710
SHA256

762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272
SHA512

d5f3b76f638e9deb4dcf157909b0770e75937215b654b4c4d8819141103daf2d632f99fd0dc2e81e0c762a54409b2797516eb6bc418f51d196f5d1bd1577b7bc

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1172	explorer.exe
1872	explorer.exe
1732	spoolsv.exe
1088	spoolsv.exe
1744	spoolsv.exe
744	spoolsv.exe
1984	spoolsv.exe
1576	spoolsv.exe
2008	spoolsv.exe
1808	spoolsv.exe
964	spoolsv.exe
1616	spoolsv.exe
1884	spoolsv.exe
1652	spoolsv.exe
584	spoolsv.exe
1688	spoolsv.exe
1548	spoolsv.exe
1968	spoolsv.exe
816	spoolsv.exe
812	spoolsv.exe
300	spoolsv.exe
868	spoolsv.exe
848	spoolsv.exe
1780	spoolsv.exe
1736	spoolsv.exe
1596	spoolsv.exe
2040	spoolsv.exe
1972	spoolsv.exe
2012	spoolsv.exe
2016	spoolsv.exe
940	spoolsv.exe
1588	spoolsv.exe
648	spoolsv.exe
764	spoolsv.exe
1564	spoolsv.exe
1640	spoolsv.exe
616	spoolsv.exe
2044	spoolsv.exe
1028	spoolsv.exe
1092	spoolsv.exe
1172	spoolsv.exe
1056	spoolsv.exe
664	spoolsv.exe
960	spoolsv.exe
1792	spoolsv.exe
240	spoolsv.exe
296	spoolsv.exe
944	spoolsv.exe
2028	spoolsv.exe
1644	spoolsv.exe
668	spoolsv.exe
1580	spoolsv.exe
736	spoolsv.exe
524	spoolsv.exe
368	spoolsv.exe
1316	spoolsv.exe
384	spoolsv.exe
1300	spoolsv.exe
1540	spoolsv.exe
1768	spoolsv.exe
1592	spoolsv.exe
512	spoolsv.exe
860	spoolsv.exe
2004	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exeexplorer.exe

pid	process
1688	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
1688	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe

Adds Run key to start application 2 TTPs 37 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1820 set thread context of 1688	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 1820 set thread context of 1528	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	diskperf.exe
PID 1172 set thread context of 1872	1172	explorer.exe	explorer.exe
PID 1172 set thread context of 640	1172	explorer.exe	diskperf.exe
PID 1732 set thread context of 3356	1732	spoolsv.exe	spoolsv.exe
PID 1732 set thread context of 3364	1732	spoolsv.exe	diskperf.exe
PID 1088 set thread context of 3404	1088	spoolsv.exe	spoolsv.exe
PID 1088 set thread context of 3420	1088	spoolsv.exe	diskperf.exe
PID 1744 set thread context of 3460	1744	spoolsv.exe	spoolsv.exe
PID 1744 set thread context of 3468	1744	spoolsv.exe	diskperf.exe
PID 744 set thread context of 3492	744	spoolsv.exe	spoolsv.exe
PID 744 set thread context of 3500	744	spoolsv.exe	diskperf.exe
PID 1984 set thread context of 3520	1984	spoolsv.exe	spoolsv.exe
PID 1984 set thread context of 3528	1984	spoolsv.exe	diskperf.exe
PID 1576 set thread context of 3556	1576	spoolsv.exe	spoolsv.exe
PID 1576 set thread context of 3564	1576	spoolsv.exe	diskperf.exe
PID 2008 set thread context of 3584	2008	spoolsv.exe	spoolsv.exe
PID 2008 set thread context of 3592	2008	spoolsv.exe	diskperf.exe
PID 1808 set thread context of 3620	1808	spoolsv.exe	spoolsv.exe
PID 1808 set thread context of 3628	1808	spoolsv.exe	diskperf.exe
PID 964 set thread context of 3648	964	spoolsv.exe	spoolsv.exe
PID 964 set thread context of 3656	964	spoolsv.exe	diskperf.exe
PID 1616 set thread context of 3684	1616	spoolsv.exe	spoolsv.exe
PID 1616 set thread context of 3708	1616	spoolsv.exe	diskperf.exe
PID 1884 set thread context of 3716	1884	spoolsv.exe	spoolsv.exe
PID 1884 set thread context of 3724	1884	spoolsv.exe	diskperf.exe
PID 1652 set thread context of 3752	1652	spoolsv.exe	spoolsv.exe
PID 1652 set thread context of 3760	1652	spoolsv.exe	diskperf.exe
PID 584 set thread context of 3788	584	spoolsv.exe	spoolsv.exe
PID 584 set thread context of 3796	584	spoolsv.exe	diskperf.exe
PID 1688 set thread context of 3820	1688	spoolsv.exe	spoolsv.exe
PID 1688 set thread context of 3828	1688	spoolsv.exe	diskperf.exe
PID 1548 set thread context of 3856	1548	spoolsv.exe	spoolsv.exe
PID 1548 set thread context of 3864	1548	spoolsv.exe	diskperf.exe
PID 1968 set thread context of 3892	1968	spoolsv.exe	spoolsv.exe
PID 1968 set thread context of 3900	1968	spoolsv.exe	diskperf.exe
PID 816 set thread context of 3920	816	spoolsv.exe	spoolsv.exe
PID 816 set thread context of 3928	816	spoolsv.exe	diskperf.exe
PID 812 set thread context of 3956	812	spoolsv.exe	spoolsv.exe
PID 812 set thread context of 3964	812	spoolsv.exe	diskperf.exe
PID 300 set thread context of 3988	300	spoolsv.exe	spoolsv.exe
PID 300 set thread context of 4008	300	spoolsv.exe	diskperf.exe
PID 868 set thread context of 4016	868	spoolsv.exe	spoolsv.exe
PID 868 set thread context of 4024	868	spoolsv.exe	diskperf.exe
PID 1780 set thread context of 4032	1780	spoolsv.exe	spoolsv.exe
PID 848 set thread context of 4048	848	spoolsv.exe	spoolsv.exe
PID 1780 set thread context of 4040	1780	spoolsv.exe	diskperf.exe
PID 848 set thread context of 4056	848	spoolsv.exe	diskperf.exe
PID 1736 set thread context of 4076	1736	spoolsv.exe	spoolsv.exe
PID 1736 set thread context of 4084	1736	spoolsv.exe	diskperf.exe
PID 2040 set thread context of 1508	2040	spoolsv.exe	spoolsv.exe
PID 2040 set thread context of 332	2040	spoolsv.exe	diskperf.exe
PID 1596 set thread context of 3392	1596	spoolsv.exe	spoolsv.exe
PID 2012 set thread context of 3464	2012	spoolsv.exe	spoolsv.exe
PID 1596 set thread context of 3488	1596	spoolsv.exe	diskperf.exe
PID 2012 set thread context of 3496	2012	spoolsv.exe	diskperf.exe
PID 1972 set thread context of 3544	1972	spoolsv.exe	diskperf.exe
PID 1972 set thread context of 3536	1972	spoolsv.exe	diskperf.exe
PID 2016 set thread context of 1976	2016	spoolsv.exe	spoolsv.exe
PID 2016 set thread context of 3588	2016	spoolsv.exe	diskperf.exe
PID 1588 set thread context of 1804	1588	spoolsv.exe	spoolsv.exe
PID 1588 set thread context of 3636	1588	spoolsv.exe	diskperf.exe
PID 648 set thread context of 1544	648	spoolsv.exe	diskperf.exe
PID 648 set thread context of 3664	648	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exeexplorer.exe

pid	process
1688	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1872 explorer.exe

pid	process
1872	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1688	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
1688	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
1872	explorer.exe
3356	spoolsv.exe
3356	spoolsv.exe
3404	spoolsv.exe
3404	spoolsv.exe
3460	spoolsv.exe
3460	spoolsv.exe
3492	spoolsv.exe
3492	spoolsv.exe
3520	spoolsv.exe
3520	spoolsv.exe
3556	spoolsv.exe
3556	spoolsv.exe
3584	spoolsv.exe
3584	spoolsv.exe
3620	spoolsv.exe
3620	spoolsv.exe
3648	spoolsv.exe
3648	spoolsv.exe
3684	spoolsv.exe
3684	spoolsv.exe
3716	spoolsv.exe
3716	spoolsv.exe
3752	spoolsv.exe
3752	spoolsv.exe
3788	spoolsv.exe
3788	spoolsv.exe
3820	spoolsv.exe
3820	spoolsv.exe
3856	spoolsv.exe
3856	spoolsv.exe
3892	spoolsv.exe
3892	spoolsv.exe
3920	spoolsv.exe
3920	spoolsv.exe
3956	spoolsv.exe
3956	spoolsv.exe
3988	spoolsv.exe
3988	spoolsv.exe
4016	spoolsv.exe
4016	spoolsv.exe
4032	spoolsv.exe
4048	spoolsv.exe
4032	spoolsv.exe
4048	spoolsv.exe
4076	spoolsv.exe
4076	spoolsv.exe
1508	spoolsv.exe
1508	spoolsv.exe
3392	spoolsv.exe
3464	spoolsv.exe
3464	spoolsv.exe
3392	spoolsv.exe
3544	diskperf.exe
3544	diskperf.exe
1976	spoolsv.exe
1976	spoolsv.exe
1804	spoolsv.exe
1544	diskperf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1820 wrote to memory of 1688	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 1820 wrote to memory of 1688	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 1820 wrote to memory of 1688	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 1820 wrote to memory of 1688	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 1820 wrote to memory of 1688	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 1820 wrote to memory of 1688	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 1820 wrote to memory of 1688	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 1820 wrote to memory of 1688	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 1820 wrote to memory of 1688	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 1820 wrote to memory of 1528	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	diskperf.exe
PID 1820 wrote to memory of 1528	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	diskperf.exe
PID 1820 wrote to memory of 1528	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	diskperf.exe
PID 1820 wrote to memory of 1528	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	diskperf.exe
PID 1820 wrote to memory of 1528	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	diskperf.exe
PID 1820 wrote to memory of 1528	1820	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	diskperf.exe
PID 1688 wrote to memory of 1172	1688	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	explorer.exe
PID 1688 wrote to memory of 1172	1688	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	explorer.exe
PID 1688 wrote to memory of 1172	1688	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	explorer.exe
PID 1688 wrote to memory of 1172	1688	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	explorer.exe
PID 1172 wrote to memory of 1872	1172	explorer.exe	explorer.exe
PID 1172 wrote to memory of 1872	1172	explorer.exe	explorer.exe
PID 1172 wrote to memory of 1872	1172	explorer.exe	explorer.exe
PID 1172 wrote to memory of 1872	1172	explorer.exe	explorer.exe
PID 1172 wrote to memory of 1872	1172	explorer.exe	explorer.exe
PID 1172 wrote to memory of 1872	1172	explorer.exe	explorer.exe
PID 1172 wrote to memory of 1872	1172	explorer.exe	explorer.exe
PID 1172 wrote to memory of 1872	1172	explorer.exe	explorer.exe
PID 1172 wrote to memory of 1872	1172	explorer.exe	explorer.exe
PID 1172 wrote to memory of 640	1172	explorer.exe	diskperf.exe
PID 1172 wrote to memory of 640	1172	explorer.exe	diskperf.exe
PID 1172 wrote to memory of 640	1172	explorer.exe	diskperf.exe
PID 1172 wrote to memory of 640	1172	explorer.exe	diskperf.exe
PID 1172 wrote to memory of 640	1172	explorer.exe	diskperf.exe
PID 1172 wrote to memory of 640	1172	explorer.exe	diskperf.exe
PID 1872 wrote to memory of 1732	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1732	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1732	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1732	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1088	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1088	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1088	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1088	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1744	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1744	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1744	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1744	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 744	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 744	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 744	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 744	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1984	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1984	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1984	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1984	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1576	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1576	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1576	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1576	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 2008	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 2008	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 2008	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 2008	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1808	1872	explorer.exe	spoolsv.exe
PID 1872 wrote to memory of 1808	1872	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
"C:\Users\Admin\AppData\Local\Temp\762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
"C:\Users\Admin\AppData\Local\Temp\762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1172

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3356

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3452

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3460

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3480

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3492

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3520

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3548

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3556

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3576

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3584

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3620

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3640

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3648

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3668

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3684

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3716

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3744

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3752

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3788

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3820

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3840

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3856

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3884

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3892

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3920

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3948

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3956

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3988

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4032

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4068

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4076

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1816

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1508

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3360

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3544

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3464

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3704

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1804

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1544

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:764

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1640

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3756

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3808

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1664

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3876

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3944

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1092

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3920

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3960

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:664

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1812

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1600

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:740

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1628

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1156

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3784

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1680

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1960

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1460

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3892

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1264

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4036

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4052

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:952

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1540

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1828

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1592

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1156

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1476

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:860

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1524

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3856

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4032

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3612

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1156

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1468

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1536

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1204

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3892

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1468

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4128

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1324

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4120

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4156

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4164

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4208

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:640

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1528

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
eab132251e5464f1ae1f8478d047058b

SHA1
abaae5a3a6f893c9b9843a28d380bc5650363710

SHA256
762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272

SHA512
d5f3b76f638e9deb4dcf157909b0770e75937215b654b4c4d8819141103daf2d632f99fd0dc2e81e0c762a54409b2797516eb6bc418f51d196f5d1bd1577b7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
fd8bd9b54e71d7eff9514f1c2d52a56a

SHA1
1b6c85c9ed6d9283a184a3a92bd2116fcec77a09

SHA256
b0546a1510cf64c1160920844569cdd8c7d20c613fffce1b3f25dfa017f6c530

SHA512
ec63d7d0604a182619f01264926a2237c86b38dd3b3f39b36746655a44c14f8f4e43525767a119f15359c14457634d26750121de67af2e9d2be36c0c69736de9

Download Submit
C:\Windows\system\explorer.exe
MD5
fd8bd9b54e71d7eff9514f1c2d52a56a

SHA1
1b6c85c9ed6d9283a184a3a92bd2116fcec77a09

SHA256
b0546a1510cf64c1160920844569cdd8c7d20c613fffce1b3f25dfa017f6c530

SHA512
ec63d7d0604a182619f01264926a2237c86b38dd3b3f39b36746655a44c14f8f4e43525767a119f15359c14457634d26750121de67af2e9d2be36c0c69736de9

Download Submit
C:\Windows\system\explorer.exe
MD5
fd8bd9b54e71d7eff9514f1c2d52a56a

SHA1
1b6c85c9ed6d9283a184a3a92bd2116fcec77a09

SHA256
b0546a1510cf64c1160920844569cdd8c7d20c613fffce1b3f25dfa017f6c530

SHA512
ec63d7d0604a182619f01264926a2237c86b38dd3b3f39b36746655a44c14f8f4e43525767a119f15359c14457634d26750121de67af2e9d2be36c0c69736de9

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\??\c:\windows\system\explorer.exe
MD5
fd8bd9b54e71d7eff9514f1c2d52a56a

SHA1
1b6c85c9ed6d9283a184a3a92bd2116fcec77a09

SHA256
b0546a1510cf64c1160920844569cdd8c7d20c613fffce1b3f25dfa017f6c530

SHA512
ec63d7d0604a182619f01264926a2237c86b38dd3b3f39b36746655a44c14f8f4e43525767a119f15359c14457634d26750121de67af2e9d2be36c0c69736de9

Download Submit
\Windows\system\explorer.exe
MD5
fd8bd9b54e71d7eff9514f1c2d52a56a

SHA1
1b6c85c9ed6d9283a184a3a92bd2116fcec77a09

SHA256
b0546a1510cf64c1160920844569cdd8c7d20c613fffce1b3f25dfa017f6c530

SHA512
ec63d7d0604a182619f01264926a2237c86b38dd3b3f39b36746655a44c14f8f4e43525767a119f15359c14457634d26750121de67af2e9d2be36c0c69736de9

Download Submit
\Windows\system\explorer.exe
MD5
fd8bd9b54e71d7eff9514f1c2d52a56a

SHA1
1b6c85c9ed6d9283a184a3a92bd2116fcec77a09

SHA256
b0546a1510cf64c1160920844569cdd8c7d20c613fffce1b3f25dfa017f6c530

SHA512
ec63d7d0604a182619f01264926a2237c86b38dd3b3f39b36746655a44c14f8f4e43525767a119f15359c14457634d26750121de67af2e9d2be36c0c69736de9

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
\Windows\system\spoolsv.exe
MD5
d0820bbe51087bc74e65fd61a84880bb

SHA1
9d7aee5d50fbe9a2acb9797f9c33f953314be7ba

SHA256
5f517a665eb5deaf60ea10d230352f134bb06326081e062d596479231c83317c

SHA512
cc61f73f32d425e27565a3a8a9ef07be054ca2ac1f3637ca4eec463ad4b921ab06991ed8aa8360e6604b0417bda30f219f4874ddb8b78a5c3efd8f26604717fd

Download Submit
memory/240-284-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/240-274-0x0000000000000000-mapping.dmp

Download
memory/296-285-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/296-276-0x0000000000000000-mapping.dmp

Download
memory/300-204-0x0000000000000000-mapping.dmp

Download
memory/300-213-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/368-296-0x0000000000000000-mapping.dmp

Download
memory/384-306-0x0000000000000000-mapping.dmp

Download
memory/384-312-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/512-313-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/524-295-0x0000000000000000-mapping.dmp

Download
memory/584-166-0x0000000000000000-mapping.dmp

Download
memory/584-174-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/616-248-0x0000000000000000-mapping.dmp

Download
memory/616-259-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/640-86-0x0000000000411000-mapping.dmp

Download
memory/648-255-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/648-240-0x0000000000000000-mapping.dmp

Download
memory/664-268-0x0000000000000000-mapping.dmp

Download
memory/664-281-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/668-292-0x0000000000000000-mapping.dmp

Download
memory/668-300-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/736-294-0x0000000000000000-mapping.dmp

Download
memory/744-114-0x0000000000000000-mapping.dmp

Download
memory/744-125-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/764-242-0x0000000000000000-mapping.dmp

Download
memory/764-256-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/812-197-0x0000000000000000-mapping.dmp

Download
memory/816-192-0x0000000000000000-mapping.dmp

Download
memory/816-200-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/848-209-0x0000000000000000-mapping.dmp

Download
memory/848-215-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/868-214-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/868-207-0x0000000000000000-mapping.dmp

Download
memory/940-229-0x0000000000000000-mapping.dmp

Download
memory/944-297-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/944-286-0x0000000000000000-mapping.dmp

Download
memory/960-282-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/960-270-0x0000000000000000-mapping.dmp

Download
memory/964-156-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/964-142-0x0000000000000000-mapping.dmp

Download
memory/1028-252-0x0000000000000000-mapping.dmp

Download
memory/1056-266-0x0000000000000000-mapping.dmp

Download
memory/1088-110-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1088-102-0x0000000000000000-mapping.dmp

Download
memory/1092-262-0x0000000000000000-mapping.dmp

Download
memory/1172-279-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1172-73-0x0000000000000000-mapping.dmp

Download
memory/1172-264-0x0000000000000000-mapping.dmp

Download
memory/1172-78-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1300-307-0x0000000000000000-mapping.dmp

Download
memory/1316-305-0x0000000000000000-mapping.dmp

Download
memory/1316-311-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1528-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1528-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1528-67-0x0000000000411000-mapping.dmp

Download
memory/1540-308-0x0000000000000000-mapping.dmp

Download
memory/1548-179-0x0000000000000000-mapping.dmp

Download
memory/1564-244-0x0000000000000000-mapping.dmp

Download
memory/1576-124-0x0000000000000000-mapping.dmp

Download
memory/1580-301-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1580-293-0x0000000000000000-mapping.dmp

Download
memory/1588-238-0x0000000000000000-mapping.dmp

Download
memory/1592-310-0x0000000000000000-mapping.dmp

Download
memory/1596-219-0x0000000000000000-mapping.dmp

Download
memory/1596-232-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1616-149-0x0000000000000000-mapping.dmp

Download
memory/1640-246-0x0000000000000000-mapping.dmp

Download
memory/1644-290-0x0000000000000000-mapping.dmp

Download
memory/1644-299-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1652-173-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1652-161-0x0000000000000000-mapping.dmp

Download
memory/1688-76-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-187-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1688-63-0x0000000000403670-mapping.dmp

Download
memory/1688-172-0x0000000000000000-mapping.dmp

Download
memory/1732-99-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1732-96-0x0000000000000000-mapping.dmp

Download
memory/1736-217-0x0000000000000000-mapping.dmp

Download
memory/1744-111-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1744-107-0x0000000000000000-mapping.dmp

Download
memory/1768-309-0x0000000000000000-mapping.dmp

Download
memory/1780-211-0x0000000000000000-mapping.dmp

Download
memory/1780-216-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1792-272-0x0000000000000000-mapping.dmp

Download
memory/1808-144-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1808-136-0x0000000000000000-mapping.dmp

Download
memory/1820-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1872-81-0x0000000000403670-mapping.dmp

Download
memory/1884-154-0x0000000000000000-mapping.dmp

Download
memory/1884-170-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1968-184-0x0000000000000000-mapping.dmp

Download
memory/1968-188-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1972-223-0x0000000000000000-mapping.dmp

Download
memory/1972-234-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1984-127-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1984-119-0x0000000000000000-mapping.dmp

Download
memory/2008-143-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2008-131-0x0000000000000000-mapping.dmp

Download
memory/2012-235-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2012-225-0x0000000000000000-mapping.dmp

Download
memory/2016-236-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2016-227-0x0000000000000000-mapping.dmp

Download
memory/2028-298-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2028-288-0x0000000000000000-mapping.dmp

Download
memory/2040-233-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2040-221-0x0000000000000000-mapping.dmp

Download
memory/2044-260-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2044-250-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads