warzonerat | 762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272

Analysis

max time kernel
148s
max time network
148s
platform
windows10_x64
resource
win10v20210410
submitted
04-05-2021 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
Size

1.8MB
MD5

eab132251e5464f1ae1f8478d047058b
SHA1

abaae5a3a6f893c9b9843a28d380bc5650363710
SHA256

762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272
SHA512

d5f3b76f638e9deb4dcf157909b0770e75937215b654b4c4d8819141103daf2d632f99fd0dc2e81e0c762a54409b2797516eb6bc418f51d196f5d1bd1577b7bc

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2112	explorer.exe
2456	explorer.exe
2332	spoolsv.exe
1420	spoolsv.exe
1832	spoolsv.exe
1156	spoolsv.exe
2688	spoolsv.exe
4080	spoolsv.exe
2140	spoolsv.exe
2408	spoolsv.exe
2336	spoolsv.exe
2168	spoolsv.exe
3184	spoolsv.exe
2380	spoolsv.exe
2268	spoolsv.exe
1652	spoolsv.exe
1084	spoolsv.exe
3808	spoolsv.exe
3160	spoolsv.exe
2152	spoolsv.exe
1320	spoolsv.exe
1660	spoolsv.exe
2640	spoolsv.exe
1516	spoolsv.exe
4028	spoolsv.exe
3484	spoolsv.exe
2864	spoolsv.exe
3912	spoolsv.exe
200	spoolsv.exe
2372	spoolsv.exe
616	spoolsv.exe
3636	spoolsv.exe
3940	spoolsv.exe
2596	spoolsv.exe
3588	spoolsv.exe
2932	spoolsv.exe
3980	spoolsv.exe
1576	spoolsv.exe
428	spoolsv.exe
3872	spoolsv.exe
1348	spoolsv.exe
3640	spoolsv.exe
3292	spoolsv.exe
2612	spoolsv.exe
1532	spoolsv.exe
2856	spoolsv.exe
3092	spoolsv.exe
3948	spoolsv.exe
540	spoolsv.exe
4120	spoolsv.exe
4160	spoolsv.exe
4184	spoolsv.exe
4208	spoolsv.exe
4244	spoolsv.exe
4268	spoolsv.exe
4292	spoolsv.exe
4328	spoolsv.exe
4352	spoolsv.exe
4376	spoolsv.exe
4400	spoolsv.exe
4444	spoolsv.exe
4464	spoolsv.exe
4484	spoolsv.exe
4500	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 4048 set thread context of 3528	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 4048 set thread context of 2024	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	diskperf.exe
PID 2112 set thread context of 2456	2112	explorer.exe	explorer.exe
PID 2332 set thread context of 6728	2332	spoolsv.exe	spoolsv.exe
PID 2332 set thread context of 6748	2332	spoolsv.exe	diskperf.exe
PID 1420 set thread context of 6840	1420	spoolsv.exe	spoolsv.exe
PID 1832 set thread context of 6892	1832	spoolsv.exe	spoolsv.exe
PID 1832 set thread context of 6908	1832	spoolsv.exe	diskperf.exe
PID 1156 set thread context of 6948	1156	spoolsv.exe	spoolsv.exe
PID 1156 set thread context of 6968	1156	spoolsv.exe	diskperf.exe
PID 2688 set thread context of 7032	2688	spoolsv.exe	spoolsv.exe
PID 2688 set thread context of 7052	2688	spoolsv.exe	diskperf.exe
PID 2140 set thread context of 7096	2140	spoolsv.exe	spoolsv.exe
PID 4080 set thread context of 7104	4080	spoolsv.exe	spoolsv.exe
PID 2140 set thread context of 7128	2140	spoolsv.exe	diskperf.exe
PID 4080 set thread context of 7152	4080	spoolsv.exe	diskperf.exe
PID 2408 set thread context of 1252	2408	spoolsv.exe	spoolsv.exe
PID 2336 set thread context of 1428	2336	spoolsv.exe	spoolsv.exe
PID 2336 set thread context of 6756	2336	spoolsv.exe	diskperf.exe
PID 2168 set thread context of 6872	2168	spoolsv.exe	spoolsv.exe
PID 3184 set thread context of 6888	3184	spoolsv.exe	spoolsv.exe
PID 2168 set thread context of 6860	2168	spoolsv.exe	diskperf.exe
PID 3184 set thread context of 1824	3184	spoolsv.exe	diskperf.exe
PID 2380 set thread context of 6920	2380	spoolsv.exe	spoolsv.exe
PID 2380 set thread context of 6960	2380	spoolsv.exe	diskperf.exe
PID 2268 set thread context of 7024	2268	spoolsv.exe	spoolsv.exe
PID 2268 set thread context of 6976	2268	spoolsv.exe	diskperf.exe
PID 1652 set thread context of 7084	1652	spoolsv.exe	spoolsv.exe
PID 1652 set thread context of 7064	1652	spoolsv.exe	diskperf.exe
PID 1084 set thread context of 572	1084	spoolsv.exe	spoolsv.exe
PID 1084 set thread context of 2256	1084	spoolsv.exe	diskperf.exe
PID 3808 set thread context of 2976	3808	spoolsv.exe	spoolsv.exe
PID 3160 set thread context of 6884	3160	spoolsv.exe	spoolsv.exe
PID 3160 set thread context of 3864	3160	spoolsv.exe	diskperf.exe
PID 2152 set thread context of 3936	2152	spoolsv.exe	spoolsv.exe
PID 1320 set thread context of 4348	1320	spoolsv.exe	spoolsv.exe
PID 1320 set thread context of 4176	1320	spoolsv.exe	diskperf.exe
PID 1660 set thread context of 7036	1660	spoolsv.exe	svchost.exe
PID 1660 set thread context of 7112	1660	spoolsv.exe	diskperf.exe
PID 2640 set thread context of 7136	2640	spoolsv.exe	spoolsv.exe
PID 2640 set thread context of 3780	2640	spoolsv.exe	diskperf.exe
PID 1516 set thread context of 2064	1516	spoolsv.exe	spoolsv.exe
PID 4028 set thread context of 4528	4028	spoolsv.exe	spoolsv.exe
PID 4028 set thread context of 6868	4028	spoolsv.exe	diskperf.exe
PID 3484 set thread context of 1640	3484	spoolsv.exe	diskperf.exe
PID 3484 set thread context of 1784	3484	spoolsv.exe	diskperf.exe
PID 2864 set thread context of 3988	2864	spoolsv.exe	spoolsv.exe
PID 2864 set thread context of 744	2864	spoolsv.exe	diskperf.exe
PID 3912 set thread context of 4580	3912	spoolsv.exe	spoolsv.exe
PID 3912 set thread context of 7144	3912	spoolsv.exe	diskperf.exe
PID 200 set thread context of 4616	200	spoolsv.exe	spoolsv.exe
PID 200 set thread context of 4064	200	spoolsv.exe	diskperf.exe
PID 2372 set thread context of 4644	2372	spoolsv.exe	spoolsv.exe
PID 2372 set thread context of 4512	2372	spoolsv.exe	diskperf.exe
PID 616 set thread context of 1940	616	spoolsv.exe	spoolsv.exe
PID 616 set thread context of 6764	616	spoolsv.exe	diskperf.exe
PID 3636 set thread context of 656	3636	spoolsv.exe	spoolsv.exe
PID 3636 set thread context of 1640	3636	spoolsv.exe	diskperf.exe
PID 3940 set thread context of 3164	3940	spoolsv.exe	spoolsv.exe
PID 3940 set thread context of 1820	3940	spoolsv.exe	diskperf.exe
PID 2596 set thread context of 4580	2596	spoolsv.exe	spoolsv.exe
PID 2596 set thread context of 500	2596	spoolsv.exe	diskperf.exe
PID 3588 set thread context of 4804	3588	spoolsv.exe	spoolsv.exe
PID 3588 set thread context of 4676	3588	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exeexplorer.exe

pid	process
3528	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
3528	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2456 explorer.exe

pid	process
2456	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exespoolsv.exespoolsv.exediskperf.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3528	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
3528	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
2456	explorer.exe
6728	spoolsv.exe
6728	spoolsv.exe
6840	spoolsv.exe
6840	spoolsv.exe
6892	spoolsv.exe
6892	spoolsv.exe
6948	spoolsv.exe
6948	spoolsv.exe
7032	spoolsv.exe
7032	spoolsv.exe
7096	spoolsv.exe
7104	spoolsv.exe
7096	spoolsv.exe
7104	spoolsv.exe
1252	spoolsv.exe
1428	spoolsv.exe
1252	spoolsv.exe
6872	spoolsv.exe
6872	spoolsv.exe
1428	spoolsv.exe
6888	spoolsv.exe
6888	spoolsv.exe
6920	spoolsv.exe
6920	spoolsv.exe
7024	spoolsv.exe
7024	spoolsv.exe
7084	spoolsv.exe
7084	spoolsv.exe
572	spoolsv.exe
572	spoolsv.exe
2976	spoolsv.exe
2976	spoolsv.exe
6884	spoolsv.exe
6884	spoolsv.exe
3936	spoolsv.exe
3936	spoolsv.exe
4348	spoolsv.exe
4348	spoolsv.exe
7036	svchost.exe
7036	svchost.exe
7136	spoolsv.exe
7136	spoolsv.exe
2064	spoolsv.exe
2064	spoolsv.exe
4528	spoolsv.exe
4528	spoolsv.exe
1640	diskperf.exe
1640	diskperf.exe
3988	spoolsv.exe
3988	spoolsv.exe
4580	spoolsv.exe
4580	spoolsv.exe
4616	spoolsv.exe
4616	spoolsv.exe
4644	spoolsv.exe
4644	spoolsv.exe
1940	spoolsv.exe
1940	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 4048 wrote to memory of 3528	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 4048 wrote to memory of 3528	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 4048 wrote to memory of 3528	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 4048 wrote to memory of 3528	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 4048 wrote to memory of 3528	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 4048 wrote to memory of 3528	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 4048 wrote to memory of 3528	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 4048 wrote to memory of 3528	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
PID 4048 wrote to memory of 2024	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	diskperf.exe
PID 4048 wrote to memory of 2024	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	diskperf.exe
PID 4048 wrote to memory of 2024	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	diskperf.exe
PID 4048 wrote to memory of 2024	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	diskperf.exe
PID 4048 wrote to memory of 2024	4048	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	diskperf.exe
PID 3528 wrote to memory of 2112	3528	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	explorer.exe
PID 3528 wrote to memory of 2112	3528	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	explorer.exe
PID 3528 wrote to memory of 2112	3528	762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe	explorer.exe
PID 2112 wrote to memory of 2456	2112	explorer.exe	explorer.exe
PID 2112 wrote to memory of 2456	2112	explorer.exe	explorer.exe
PID 2112 wrote to memory of 2456	2112	explorer.exe	explorer.exe
PID 2112 wrote to memory of 2456	2112	explorer.exe	explorer.exe
PID 2112 wrote to memory of 2456	2112	explorer.exe	explorer.exe
PID 2112 wrote to memory of 2456	2112	explorer.exe	explorer.exe
PID 2112 wrote to memory of 2456	2112	explorer.exe	explorer.exe
PID 2112 wrote to memory of 2456	2112	explorer.exe	explorer.exe
PID 2112 wrote to memory of 3896	2112	explorer.exe	diskperf.exe
PID 2112 wrote to memory of 3896	2112	explorer.exe	diskperf.exe
PID 2112 wrote to memory of 3896	2112	explorer.exe	diskperf.exe
PID 2456 wrote to memory of 2332	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2332	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2332	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 1420	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 1420	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 1420	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 1832	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 1832	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 1832	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 1156	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 1156	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 1156	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2688	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2688	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2688	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 4080	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 4080	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 4080	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2140	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2140	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2140	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2408	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2408	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2408	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2336	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2336	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2336	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2168	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2168	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2168	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 3184	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 3184	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 3184	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2380	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2380	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2380	2456	explorer.exe	spoolsv.exe
PID 2456 wrote to memory of 2268	2456	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
"C:\Users\Admin\AppData\Local\Temp\762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Temp\762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe
"C:\Users\Admin\AppData\Local\Temp\762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3528

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2112

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6728

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6828

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6840

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6892

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6948

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7016

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7032

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7096

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2176

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1252

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6872

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6920

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7024

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:856

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7084

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7160

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:572

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2472

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2976

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6884

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:692

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3936

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6928

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4348

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:364

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:7036

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:388

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7136

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4480

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2064

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3228

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4528

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4544

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1640

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:660

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3988

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2500

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
- Suspicious use of SetWindowsHookEx
PID:7036

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4616

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4644

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4660

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1940

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:656

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3164

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2368

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4804

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4076

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3480

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:656

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:504

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3164

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1088

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4956

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4972

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4048

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4728

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4076

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4884

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4868

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3956

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4612

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1264

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3740

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4156

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2188

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1048

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1564

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4276

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5068

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5100

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5112

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4408

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4196

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4220

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3520

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5196

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4116

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3656

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4252

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5248

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1968

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5212

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5320

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4140

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5356

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5388

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5272

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3520

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1968

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4212

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4332

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4368

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4204

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:3896

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:2024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
eab132251e5464f1ae1f8478d047058b

SHA1
abaae5a3a6f893c9b9843a28d380bc5650363710

SHA256
762f2070dca829f4fcf9940b97ef65d7c3389aad7f89ce75c83a2c7233d34272

SHA512
d5f3b76f638e9deb4dcf157909b0770e75937215b654b4c4d8819141103daf2d632f99fd0dc2e81e0c762a54409b2797516eb6bc418f51d196f5d1bd1577b7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
b42a27d4055944d3a10669c068d2c201

SHA1
8e05b922b28c637c104987747fa5bf194d22bd51

SHA256
84dee8f8a862aa3c69f69720766b6df9ea7035c4786f7bf7069d1a02d9d174fa

SHA512
2a80d71fc1c858c54673b060e023533bb756a0728cdd4e08fc13948b2afb3d51be5a694244fb166e5ef854712011e3da4a76e5ab1b7ba97e870cea3a84d4f9e3

Download Submit
C:\Windows\System\explorer.exe
MD5
b42a27d4055944d3a10669c068d2c201

SHA1
8e05b922b28c637c104987747fa5bf194d22bd51

SHA256
84dee8f8a862aa3c69f69720766b6df9ea7035c4786f7bf7069d1a02d9d174fa

SHA512
2a80d71fc1c858c54673b060e023533bb756a0728cdd4e08fc13948b2afb3d51be5a694244fb166e5ef854712011e3da4a76e5ab1b7ba97e870cea3a84d4f9e3

Download Submit
C:\Windows\System\explorer.exe
MD5
b42a27d4055944d3a10669c068d2c201

SHA1
8e05b922b28c637c104987747fa5bf194d22bd51

SHA256
84dee8f8a862aa3c69f69720766b6df9ea7035c4786f7bf7069d1a02d9d174fa

SHA512
2a80d71fc1c858c54673b060e023533bb756a0728cdd4e08fc13948b2afb3d51be5a694244fb166e5ef854712011e3da4a76e5ab1b7ba97e870cea3a84d4f9e3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
C:\Windows\System\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
\??\c:\windows\system\explorer.exe
MD5
b42a27d4055944d3a10669c068d2c201

SHA1
8e05b922b28c637c104987747fa5bf194d22bd51

SHA256
84dee8f8a862aa3c69f69720766b6df9ea7035c4786f7bf7069d1a02d9d174fa

SHA512
2a80d71fc1c858c54673b060e023533bb756a0728cdd4e08fc13948b2afb3d51be5a694244fb166e5ef854712011e3da4a76e5ab1b7ba97e870cea3a84d4f9e3

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
32ffeaf77d89d1f34c003a07a03070e1

SHA1
05ab5814f488c61e1373926fc59c1f8beacd181e

SHA256
0668604472b62bdeb310a63a40e55d022ecf90088ab30e9e529b7bc65011488c

SHA512
4be2bef09fa437a3ee79d2487e0fd1c5d0d0c1fc36ce2d12ad43ac817fee4cdfca001dff08d3b55b07997b70c0df4c469f2812eebf5540ce0d7e57a278d284d2

Download Submit
memory/200-224-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/200-218-0x0000000000000000-mapping.dmp

Download
memory/428-247-0x0000000000000000-mapping.dmp

Download
memory/428-250-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/540-283-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/540-276-0x0000000000000000-mapping.dmp

Download
memory/616-229-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/616-222-0x0000000000000000-mapping.dmp

Download
memory/1084-190-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1084-182-0x0000000000000000-mapping.dmp

Download
memory/1156-149-0x0000000000000000-mapping.dmp

Download
memory/1156-155-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1320-202-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1320-194-0x0000000000000000-mapping.dmp

Download
memory/1348-253-0x0000000000000000-mapping.dmp

Download
memory/1348-258-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1420-147-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1420-142-0x0000000000000000-mapping.dmp

Download
memory/1516-200-0x0000000000000000-mapping.dmp

Download
memory/1516-205-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/1532-264-0x0000000000000000-mapping.dmp

Download
memory/1532-270-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1576-244-0x0000000000000000-mapping.dmp

Download
memory/1576-248-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1652-181-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/1652-177-0x0000000000000000-mapping.dmp

Download
memory/1660-203-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1660-196-0x0000000000000000-mapping.dmp

Download
memory/1832-144-0x0000000000000000-mapping.dmp

Download
memory/1832-148-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2024-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2024-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2024-118-0x0000000000411000-mapping.dmp

Download
memory/2112-129-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2112-125-0x0000000000000000-mapping.dmp

Download
memory/2140-160-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2140-156-0x0000000000000000-mapping.dmp

Download
memory/2152-193-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2152-188-0x0000000000000000-mapping.dmp

Download
memory/2168-172-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2168-165-0x0000000000000000-mapping.dmp

Download
memory/2268-175-0x0000000000000000-mapping.dmp

Download
memory/2332-146-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2332-139-0x0000000000000000-mapping.dmp

Download
memory/2336-171-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2336-163-0x0000000000000000-mapping.dmp

Download
memory/2372-226-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2372-220-0x0000000000000000-mapping.dmp

Download
memory/2380-173-0x0000000000000000-mapping.dmp

Download
memory/2380-179-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2408-161-0x0000000000000000-mapping.dmp

Download
memory/2408-169-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/2456-131-0x0000000000403670-mapping.dmp

Download
memory/2596-237-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/2596-232-0x0000000000000000-mapping.dmp

Download
memory/2612-269-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2612-262-0x0000000000000000-mapping.dmp

Download
memory/2640-198-0x0000000000000000-mapping.dmp

Download
memory/2640-204-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2688-157-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2688-151-0x0000000000000000-mapping.dmp

Download
memory/2856-266-0x0000000000000000-mapping.dmp

Download
memory/2856-271-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2864-217-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2864-210-0x0000000000000000-mapping.dmp

Download
memory/2932-238-0x0000000000000000-mapping.dmp

Download
memory/2932-241-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3092-272-0x0000000000000000-mapping.dmp

Download
memory/3092-280-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/3160-192-0x0000000000950000-0x00000000009DE000-memory.dmp

Filesize
568KB

Download
memory/3160-186-0x0000000000000000-mapping.dmp

Download
memory/3184-167-0x0000000000000000-mapping.dmp

Download
memory/3184-170-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/3292-260-0x0000000000000000-mapping.dmp

Download
memory/3292-268-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3484-208-0x0000000000000000-mapping.dmp

Download
memory/3484-215-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3528-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3528-116-0x0000000000403670-mapping.dmp

Download
memory/3588-234-0x0000000000000000-mapping.dmp

Download
memory/3588-239-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3636-228-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3636-225-0x0000000000000000-mapping.dmp

Download
memory/3640-255-0x0000000000000000-mapping.dmp

Download
memory/3640-259-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3808-191-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3808-184-0x0000000000000000-mapping.dmp

Download
memory/3872-257-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3872-251-0x0000000000000000-mapping.dmp

Download
memory/3912-216-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3912-212-0x0000000000000000-mapping.dmp

Download
memory/3940-230-0x0000000000000000-mapping.dmp

Download
memory/3940-236-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3948-282-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3948-274-0x0000000000000000-mapping.dmp

Download
memory/3980-242-0x0000000000000000-mapping.dmp

Download
memory/3980-246-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/4028-206-0x0000000000000000-mapping.dmp

Download
memory/4028-214-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4048-114-0x00000000007B0000-0x000000000083E000-memory.dmp

Filesize
568KB

Download
memory/4080-153-0x0000000000000000-mapping.dmp

Download
memory/4120-281-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4120-278-0x0000000000000000-mapping.dmp

Download
memory/4160-284-0x0000000000000000-mapping.dmp

Download
memory/4160-290-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4184-286-0x0000000000000000-mapping.dmp

Download
memory/4184-291-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4208-288-0x0000000000000000-mapping.dmp

Download
memory/4208-292-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4244-299-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4244-293-0x0000000000000000-mapping.dmp

Download
memory/4268-300-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/4268-295-0x0000000000000000-mapping.dmp

Download
memory/4292-297-0x0000000000000000-mapping.dmp

Download
memory/4292-301-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4328-310-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4328-302-0x0000000000000000-mapping.dmp

Download
memory/4352-304-0x0000000000000000-mapping.dmp

Download
memory/4352-311-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4376-306-0x0000000000000000-mapping.dmp

Download
memory/4376-312-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4400-308-0x0000000000000000-mapping.dmp

Download
memory/4400-313-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/4444-314-0x0000000000000000-mapping.dmp

Download
memory/4444-316-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4464-315-0x0000000000000000-mapping.dmp

Download