warzonerat | 90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9

Analysis

max time kernel
150s
max time network
64s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
Size

1.8MB
MD5

ab8b026c7402b5e0452ff0f915f2cb0f
SHA1

ca849caf19f9c87e2218f12d8c2c263f010b858f
SHA256

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9
SHA512

c896a625314f135ec0854f2ef80574efc21926c46a04224e6fa3f75342c8647963ee3d7e7538b2ac5352f2ad62f20d9e0bb86c8233289f8bded6ca52830cbbda

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1016	explorer.exe
304	explorer.exe
776	spoolsv.exe
564	spoolsv.exe
1028	spoolsv.exe
1096	spoolsv.exe
2032	spoolsv.exe
1684	spoolsv.exe
1656	spoolsv.exe
916	spoolsv.exe
940	spoolsv.exe
1696	spoolsv.exe
1852	spoolsv.exe
572	spoolsv.exe
2024	spoolsv.exe
1740	spoolsv.exe
1512	spoolsv.exe
1920	spoolsv.exe
1004	spoolsv.exe
340	spoolsv.exe
1320	spoolsv.exe
856	spoolsv.exe
1544	spoolsv.exe
1580	spoolsv.exe
1160	spoolsv.exe
1352	spoolsv.exe
1688	spoolsv.exe
1692	spoolsv.exe
1488	spoolsv.exe
1524	spoolsv.exe
484	spoolsv.exe
1720	spoolsv.exe
420	spoolsv.exe
1748	spoolsv.exe
1168	spoolsv.exe
1928	spoolsv.exe
816	spoolsv.exe
1912	spoolsv.exe
1192	spoolsv.exe
948	spoolsv.exe
984	spoolsv.exe
560	spoolsv.exe
1620	spoolsv.exe
660	spoolsv.exe
1088	spoolsv.exe
1276	spoolsv.exe
1156	spoolsv.exe
1648	spoolsv.exe
1640	spoolsv.exe
1724	spoolsv.exe
748	spoolsv.exe
1668	spoolsv.exe
1856	spoolsv.exe
1956	spoolsv.exe
1548	spoolsv.exe
1976	spoolsv.exe
1540	spoolsv.exe
1460	spoolsv.exe
1092	spoolsv.exe
2012	spoolsv.exe
1840	spoolsv.exe
1608	spoolsv.exe
1936	spoolsv.exe
848	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exeexplorer.exe

pid	process
1260	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
1260	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe

Adds Run key to start application 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 484 set thread context of 1260	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 484 set thread context of 1456	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	diskperf.exe
PID 1016 set thread context of 304	1016	explorer.exe	explorer.exe
PID 1016 set thread context of 1820	1016	explorer.exe	diskperf.exe
PID 776 set thread context of 3196	776	spoolsv.exe	spoolsv.exe
PID 776 set thread context of 3204	776	spoolsv.exe	diskperf.exe
PID 564 set thread context of 3236	564	spoolsv.exe	spoolsv.exe
PID 564 set thread context of 3244	564	spoolsv.exe	diskperf.exe
PID 1028 set thread context of 3272	1028	spoolsv.exe	spoolsv.exe
PID 1028 set thread context of 3280	1028	spoolsv.exe	diskperf.exe
PID 1096 set thread context of 3308	1096	spoolsv.exe	spoolsv.exe
PID 1096 set thread context of 3316	1096	spoolsv.exe	diskperf.exe
PID 2032 set thread context of 3344	2032	spoolsv.exe	spoolsv.exe
PID 2032 set thread context of 3352	2032	spoolsv.exe	diskperf.exe
PID 1684 set thread context of 3380	1684	spoolsv.exe	spoolsv.exe
PID 1684 set thread context of 3388	1684	spoolsv.exe	diskperf.exe
PID 1656 set thread context of 3416	1656	spoolsv.exe	spoolsv.exe
PID 1656 set thread context of 3424	1656	spoolsv.exe	diskperf.exe
PID 916 set thread context of 3444	916	spoolsv.exe	spoolsv.exe
PID 916 set thread context of 3452	916	spoolsv.exe	diskperf.exe
PID 940 set thread context of 3480	940	spoolsv.exe	spoolsv.exe
PID 940 set thread context of 3500	940	spoolsv.exe	diskperf.exe
PID 1696 set thread context of 3512	1696	spoolsv.exe	spoolsv.exe
PID 1696 set thread context of 3520	1696	spoolsv.exe	diskperf.exe
PID 1852 set thread context of 3548	1852	spoolsv.exe	spoolsv.exe
PID 1852 set thread context of 3556	1852	spoolsv.exe	diskperf.exe
PID 572 set thread context of 3580	572	spoolsv.exe	spoolsv.exe
PID 572 set thread context of 3588	572	spoolsv.exe	diskperf.exe
PID 2024 set thread context of 3612	2024	spoolsv.exe	spoolsv.exe
PID 2024 set thread context of 3632	2024	spoolsv.exe	diskperf.exe
PID 1740 set thread context of 3644	1740	spoolsv.exe	spoolsv.exe
PID 1740 set thread context of 3652	1740	spoolsv.exe	diskperf.exe
PID 1512 set thread context of 3676	1512	spoolsv.exe	spoolsv.exe
PID 1512 set thread context of 3684	1512	spoolsv.exe	diskperf.exe
PID 1920 set thread context of 3704	1920	spoolsv.exe	spoolsv.exe
PID 1920 set thread context of 3724	1920	spoolsv.exe	diskperf.exe
PID 1004 set thread context of 3736	1004	spoolsv.exe	spoolsv.exe
PID 1004 set thread context of 3744	1004	spoolsv.exe	diskperf.exe
PID 340 set thread context of 3764	340	spoolsv.exe	spoolsv.exe
PID 340 set thread context of 3772	340	spoolsv.exe	diskperf.exe
PID 1320 set thread context of 3800	1320	spoolsv.exe	spoolsv.exe
PID 1320 set thread context of 3808	1320	spoolsv.exe	diskperf.exe
PID 856 set thread context of 3828	856	spoolsv.exe	spoolsv.exe
PID 856 set thread context of 3836	856	spoolsv.exe	diskperf.exe
PID 1580 set thread context of 3856	1580	spoolsv.exe	spoolsv.exe
PID 1580 set thread context of 3864	1580	spoolsv.exe	diskperf.exe
PID 1544 set thread context of 3876	1544	spoolsv.exe	spoolsv.exe
PID 1544 set thread context of 3884	1544	spoolsv.exe	diskperf.exe
PID 1160 set thread context of 3892	1160	spoolsv.exe	spoolsv.exe
PID 1160 set thread context of 3928	1160	spoolsv.exe	diskperf.exe
PID 1688 set thread context of 3908	1688	spoolsv.exe	spoolsv.exe
PID 1688 set thread context of 3936	1688	spoolsv.exe	diskperf.exe
PID 1352 set thread context of 3900	1352	spoolsv.exe	spoolsv.exe
PID 1352 set thread context of 3944	1352	spoolsv.exe	diskperf.exe
PID 1692 set thread context of 3956	1692	spoolsv.exe	spoolsv.exe
PID 1692 set thread context of 3964	1692	spoolsv.exe	diskperf.exe
PID 1488 set thread context of 3988	1488	spoolsv.exe	spoolsv.exe
PID 1488 set thread context of 4008	1488	spoolsv.exe	diskperf.exe
PID 1524 set thread context of 4016	1524	spoolsv.exe	spoolsv.exe
PID 1524 set thread context of 4024	1524	spoolsv.exe	diskperf.exe
PID 484 set thread context of 4032	484	spoolsv.exe	spoolsv.exe
PID 484 set thread context of 4040	484	spoolsv.exe	diskperf.exe
PID 1720 set thread context of 4068	1720	spoolsv.exe	spoolsv.exe
PID 1720 set thread context of 4076	1720	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exeexplorer.exe

pid	process
1260	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

304 explorer.exe

pid	process
304	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1260	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
1260	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
304	explorer.exe
3196	spoolsv.exe
3196	spoolsv.exe
3236	spoolsv.exe
3236	spoolsv.exe
3272	spoolsv.exe
3272	spoolsv.exe
3308	spoolsv.exe
3308	spoolsv.exe
3344	spoolsv.exe
3344	spoolsv.exe
3380	spoolsv.exe
3380	spoolsv.exe
3416	spoolsv.exe
3416	spoolsv.exe
3444	spoolsv.exe
3444	spoolsv.exe
3480	spoolsv.exe
3480	spoolsv.exe
3512	spoolsv.exe
3512	spoolsv.exe
3548	spoolsv.exe
3548	spoolsv.exe
3580	spoolsv.exe
3580	spoolsv.exe
3612	spoolsv.exe
3612	spoolsv.exe
3644	spoolsv.exe
3644	spoolsv.exe
3676	spoolsv.exe
3676	spoolsv.exe
3704	spoolsv.exe
3704	spoolsv.exe
3736	spoolsv.exe
3736	spoolsv.exe
3764	spoolsv.exe
3764	spoolsv.exe
3800	spoolsv.exe
3800	spoolsv.exe
3828	spoolsv.exe
3828	spoolsv.exe
3856	spoolsv.exe
3856	spoolsv.exe
3876	spoolsv.exe
3876	spoolsv.exe
3892	spoolsv.exe
3892	spoolsv.exe
3908	spoolsv.exe
3908	spoolsv.exe
3900	spoolsv.exe
3900	spoolsv.exe
3956	spoolsv.exe
3956	spoolsv.exe
3988	spoolsv.exe
3988	spoolsv.exe
4016	spoolsv.exe
4016	spoolsv.exe
4032	spoolsv.exe
4032	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 484 wrote to memory of 1260	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 484 wrote to memory of 1260	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 484 wrote to memory of 1260	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 484 wrote to memory of 1260	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 484 wrote to memory of 1260	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 484 wrote to memory of 1260	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 484 wrote to memory of 1260	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 484 wrote to memory of 1260	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 484 wrote to memory of 1260	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 484 wrote to memory of 1456	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	diskperf.exe
PID 484 wrote to memory of 1456	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	diskperf.exe
PID 484 wrote to memory of 1456	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	diskperf.exe
PID 484 wrote to memory of 1456	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	diskperf.exe
PID 484 wrote to memory of 1456	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	diskperf.exe
PID 484 wrote to memory of 1456	484	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	diskperf.exe
PID 1260 wrote to memory of 1016	1260	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	explorer.exe
PID 1260 wrote to memory of 1016	1260	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	explorer.exe
PID 1260 wrote to memory of 1016	1260	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	explorer.exe
PID 1260 wrote to memory of 1016	1260	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	explorer.exe
PID 1016 wrote to memory of 304	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 304	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 304	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 304	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 304	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 304	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 304	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 304	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 304	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 1820	1016	explorer.exe	diskperf.exe
PID 1016 wrote to memory of 1820	1016	explorer.exe	diskperf.exe
PID 1016 wrote to memory of 1820	1016	explorer.exe	diskperf.exe
PID 1016 wrote to memory of 1820	1016	explorer.exe	diskperf.exe
PID 1016 wrote to memory of 1820	1016	explorer.exe	diskperf.exe
PID 1016 wrote to memory of 1820	1016	explorer.exe	diskperf.exe
PID 304 wrote to memory of 776	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 776	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 776	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 776	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 564	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 564	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 564	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 564	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1028	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1028	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1028	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1028	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1096	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1096	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1096	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1096	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 2032	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 2032	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 2032	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 2032	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1684	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1684	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1684	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1684	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1656	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1656	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1656	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 1656	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 916	304	explorer.exe	spoolsv.exe
PID 304 wrote to memory of 916	304	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
"C:\Users\Admin\AppData\Local\Temp\90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:484

C:\Users\Admin\AppData\Local\Temp\90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
"C:\Users\Admin\AppData\Local\Temp\90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1016

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3196

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3228

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3236

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3256

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3272

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3292

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3308

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3328

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3344

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3364

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3380

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3400

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3416

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3436

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3444

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3464

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3480

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3492

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3512

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3532

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3548

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3568

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3612

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3644

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3664

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3676

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3704

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3716

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3736

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3764

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3784

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3800

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3828

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3848

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3876

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1160

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3900

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1688

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3956

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3988

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4032

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4052

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4068

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4084

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3224

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3200

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3240

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3304

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3340

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3336

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3376

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3408

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1652

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3460

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:984

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3540

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3576

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3672

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3676

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3712

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3736

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3780

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1468

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3828

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1604

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3896

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1856

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3972

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:944

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1848

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3992

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4064

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:760

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4032

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3304

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3324

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1840

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1452

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:908

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3460

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:912

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2028

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3704

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1500

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3832

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1428

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1860

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3960

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1448

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1056

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4032

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3304

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3312

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1600

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1452

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:860

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3648

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3780

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3704

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1344

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3188

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1456

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3920

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
ab8b026c7402b5e0452ff0f915f2cb0f

SHA1
ca849caf19f9c87e2218f12d8c2c263f010b858f

SHA256
90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9

SHA512
c896a625314f135ec0854f2ef80574efc21926c46a04224e6fa3f75342c8647963ee3d7e7538b2ac5352f2ad62f20d9e0bb86c8233289f8bded6ca52830cbbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
fa24fb0aabfecfedeeb834271a1f7691

SHA1
5314b6db12cbc039f054d0dc48f5022924b753df

SHA256
d88cfb28edb19392cbfeb264ee2d4c412bd0647699212a0c4c1c857d54214f60

SHA512
4bed3811a5161116ca10613635c3177b5a07e25e8990595ad4d82d99602afb86a08bb7c6e39efb731e513e0238c253ecc65cd41e88596f18ca37a6470f9e14a3

Download Submit
C:\Windows\system\explorer.exe
MD5
fa24fb0aabfecfedeeb834271a1f7691

SHA1
5314b6db12cbc039f054d0dc48f5022924b753df

SHA256
d88cfb28edb19392cbfeb264ee2d4c412bd0647699212a0c4c1c857d54214f60

SHA512
4bed3811a5161116ca10613635c3177b5a07e25e8990595ad4d82d99602afb86a08bb7c6e39efb731e513e0238c253ecc65cd41e88596f18ca37a6470f9e14a3

Download Submit
C:\Windows\system\explorer.exe
MD5
fa24fb0aabfecfedeeb834271a1f7691

SHA1
5314b6db12cbc039f054d0dc48f5022924b753df

SHA256
d88cfb28edb19392cbfeb264ee2d4c412bd0647699212a0c4c1c857d54214f60

SHA512
4bed3811a5161116ca10613635c3177b5a07e25e8990595ad4d82d99602afb86a08bb7c6e39efb731e513e0238c253ecc65cd41e88596f18ca37a6470f9e14a3

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\??\c:\windows\system\explorer.exe
MD5
fa24fb0aabfecfedeeb834271a1f7691

SHA1
5314b6db12cbc039f054d0dc48f5022924b753df

SHA256
d88cfb28edb19392cbfeb264ee2d4c412bd0647699212a0c4c1c857d54214f60

SHA512
4bed3811a5161116ca10613635c3177b5a07e25e8990595ad4d82d99602afb86a08bb7c6e39efb731e513e0238c253ecc65cd41e88596f18ca37a6470f9e14a3

Download Submit
\Windows\system\explorer.exe
MD5
fa24fb0aabfecfedeeb834271a1f7691

SHA1
5314b6db12cbc039f054d0dc48f5022924b753df

SHA256
d88cfb28edb19392cbfeb264ee2d4c412bd0647699212a0c4c1c857d54214f60

SHA512
4bed3811a5161116ca10613635c3177b5a07e25e8990595ad4d82d99602afb86a08bb7c6e39efb731e513e0238c253ecc65cd41e88596f18ca37a6470f9e14a3

Download Submit
\Windows\system\explorer.exe
MD5
fa24fb0aabfecfedeeb834271a1f7691

SHA1
5314b6db12cbc039f054d0dc48f5022924b753df

SHA256
d88cfb28edb19392cbfeb264ee2d4c412bd0647699212a0c4c1c857d54214f60

SHA512
4bed3811a5161116ca10613635c3177b5a07e25e8990595ad4d82d99602afb86a08bb7c6e39efb731e513e0238c253ecc65cd41e88596f18ca37a6470f9e14a3

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
\Windows\system\spoolsv.exe
MD5
8e8188dda8fbca962ce04cdca8ef5916

SHA1
9d91c7145161140747c090c5bcf55c98a1b29b64

SHA256
335a9a2a4b39aa0d94f30d28f756018741f2c677581487a8c8b7830c49d974d4

SHA512
a2ad856f9a5b03abf385608621d4c7618883dea5715b4f268bc6fb3e14413e6c161efe221718206acdd1d0c7ca0bb3bf80d8d13d6f6b8fd006e03b6e0e442bf5

Download Submit
memory/304-80-0x0000000000403670-mapping.dmp

Download
memory/340-196-0x0000000000000000-mapping.dmp

Download
memory/340-207-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/420-237-0x0000000000000000-mapping.dmp

Download
memory/420-246-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/484-59-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/484-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/484-233-0x0000000000000000-mapping.dmp

Download
memory/560-261-0x0000000000000000-mapping.dmp

Download
memory/560-269-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/564-100-0x0000000000000000-mapping.dmp

Download
memory/564-104-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/572-169-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/572-160-0x0000000000000000-mapping.dmp

Download
memory/660-272-0x0000000000000000-mapping.dmp

Download
memory/748-293-0x0000000000000000-mapping.dmp

Download
memory/748-300-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/776-95-0x0000000000000000-mapping.dmp

Download
memory/776-103-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/816-251-0x0000000000000000-mapping.dmp

Download
memory/816-264-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/856-209-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/856-205-0x0000000000000000-mapping.dmp

Download
memory/916-136-0x0000000000000000-mapping.dmp

Download
memory/916-143-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/940-142-0x0000000000000000-mapping.dmp

Download
memory/948-267-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/948-257-0x0000000000000000-mapping.dmp

Download
memory/984-259-0x0000000000000000-mapping.dmp

Download
memory/1004-190-0x0000000000000000-mapping.dmp

Download
memory/1016-77-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1016-74-0x0000000000000000-mapping.dmp

Download
memory/1028-115-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1028-107-0x0000000000000000-mapping.dmp

Download
memory/1088-286-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1088-274-0x0000000000000000-mapping.dmp

Download
memory/1092-313-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1092-308-0x0000000000000000-mapping.dmp

Download
memory/1096-116-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1096-112-0x0000000000000000-mapping.dmp

Download
memory/1156-278-0x0000000000000000-mapping.dmp

Download
memory/1160-226-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1160-214-0x0000000000000000-mapping.dmp

Download
memory/1168-241-0x0000000000000000-mapping.dmp

Download
memory/1168-248-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1192-255-0x0000000000000000-mapping.dmp

Download
memory/1260-62-0x0000000000403670-mapping.dmp

Download
memory/1260-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1260-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1276-287-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1276-276-0x0000000000000000-mapping.dmp

Download
memory/1320-208-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1320-202-0x0000000000000000-mapping.dmp

Download
memory/1352-216-0x0000000000000000-mapping.dmp

Download
memory/1456-65-0x0000000000411000-mapping.dmp

Download
memory/1456-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1456-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1460-307-0x0000000000000000-mapping.dmp

Download
memory/1460-312-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1488-222-0x0000000000000000-mapping.dmp

Download
memory/1512-178-0x0000000000000000-mapping.dmp

Download
memory/1512-185-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1524-243-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1524-231-0x0000000000000000-mapping.dmp

Download
memory/1540-306-0x0000000000000000-mapping.dmp

Download
memory/1540-311-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1544-210-0x0000000000000000-mapping.dmp

Download
memory/1544-224-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1548-297-0x0000000000000000-mapping.dmp

Download
memory/1580-212-0x0000000000000000-mapping.dmp

Download
memory/1580-225-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1620-270-0x0000000000000000-mapping.dmp

Download
memory/1640-282-0x0000000000000000-mapping.dmp

Download
memory/1648-280-0x0000000000000000-mapping.dmp

Download
memory/1648-289-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1656-130-0x0000000000000000-mapping.dmp

Download
memory/1656-139-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1668-301-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1668-294-0x0000000000000000-mapping.dmp

Download
memory/1684-131-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1684-124-0x0000000000000000-mapping.dmp

Download
memory/1688-218-0x0000000000000000-mapping.dmp

Download
memory/1692-229-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1692-220-0x0000000000000000-mapping.dmp

Download
memory/1696-148-0x0000000000000000-mapping.dmp

Download
memory/1696-155-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1720-235-0x0000000000000000-mapping.dmp

Download
memory/1724-291-0x0000000000000000-mapping.dmp

Download
memory/1740-181-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1740-173-0x0000000000000000-mapping.dmp

Download
memory/1748-239-0x0000000000000000-mapping.dmp

Download
memory/1820-85-0x0000000000411000-mapping.dmp

Download
memory/1840-310-0x0000000000000000-mapping.dmp

Download
memory/1852-168-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1852-154-0x0000000000000000-mapping.dmp

Download
memory/1856-302-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1856-295-0x0000000000000000-mapping.dmp

Download
memory/1912-265-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1912-253-0x0000000000000000-mapping.dmp

Download
memory/1920-184-0x0000000000000000-mapping.dmp

Download
memory/1920-195-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1928-263-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1928-249-0x0000000000000000-mapping.dmp

Download
memory/1956-303-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1956-296-0x0000000000000000-mapping.dmp

Download
memory/1976-298-0x0000000000000000-mapping.dmp

Download
memory/2012-309-0x0000000000000000-mapping.dmp

Download
memory/2012-314-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2024-165-0x0000000000000000-mapping.dmp

Download
memory/2024-170-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2032-119-0x0000000000000000-mapping.dmp

Download
memory/2032-127-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download