warzonerat | 8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce

Analysis

max time kernel
149s
max time network
14s
platform
windows7_x64
resource
win7v20210408
submitted
05-05-2021 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
Size

1.8MB
MD5

fab3488dffbdf592f61708e6814c1ef1
SHA1

94ec6b78f7949a3c5fe7c6078a5541235c53fa7c
SHA256

8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce
SHA512

c2d139ece8d85dbb78865234991a6849f137a76bd346539f38dff3b3b42be111403c9a44f23c6724a6dd1741baa69d6672b15480f4ed47d7f9886fcdf8ce6aa3

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
816	explorer.exe
1844	explorer.exe
1616	spoolsv.exe
1404	spoolsv.exe
1540	spoolsv.exe
1984	spoolsv.exe
1728	spoolsv.exe
1856	spoolsv.exe
1592	spoolsv.exe
1732	spoolsv.exe
1636	spoolsv.exe
1568	spoolsv.exe
1956	spoolsv.exe
1216	spoolsv.exe
1064	spoolsv.exe
2040	spoolsv.exe
1612	spoolsv.exe
1932	spoolsv.exe
828	spoolsv.exe
1300	spoolsv.exe
620	spoolsv.exe
856	spoolsv.exe
532	spoolsv.exe
920	spoolsv.exe
1544	spoolsv.exe
1624	spoolsv.exe
888	spoolsv.exe
1952	spoolsv.exe
1328	spoolsv.exe
1100	spoolsv.exe
1632	spoolsv.exe
1472	spoolsv.exe
1676	spoolsv.exe
2044	spoolsv.exe
1408	spoolsv.exe
1208	spoolsv.exe
1532	spoolsv.exe
1688	spoolsv.exe
1556	spoolsv.exe
276	spoolsv.exe
1692	spoolsv.exe
2016	spoolsv.exe
948	spoolsv.exe
328	spoolsv.exe
1816	spoolsv.exe
1360	spoolsv.exe
1600	spoolsv.exe
980	spoolsv.exe
1296	spoolsv.exe
820	spoolsv.exe
1312	spoolsv.exe
1196	spoolsv.exe
380	spoolsv.exe
1020	spoolsv.exe
1776	spoolsv.exe
832	spoolsv.exe
1496	spoolsv.exe
596	spoolsv.exe
1580	spoolsv.exe
1596	spoolsv.exe
1796	spoolsv.exe
1800	spoolsv.exe
2008	spoolsv.exe
1968	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exeexplorer.exe

pid	process
1688	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
1688	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 53 IoCs

Processes:

8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 792 set thread context of 1688	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 792 set thread context of 1232	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	diskperf.exe
PID 816 set thread context of 1844	816	explorer.exe	explorer.exe
PID 816 set thread context of 1504	816	explorer.exe	diskperf.exe
PID 1616 set thread context of 3256	1616	spoolsv.exe	spoolsv.exe
PID 1616 set thread context of 3272	1616	spoolsv.exe	diskperf.exe
PID 1404 set thread context of 3296	1404	spoolsv.exe	spoolsv.exe
PID 1404 set thread context of 3304	1404	spoolsv.exe	diskperf.exe
PID 1540 set thread context of 3336	1540	spoolsv.exe	spoolsv.exe
PID 1540 set thread context of 3344	1540	spoolsv.exe	diskperf.exe
PID 1984 set thread context of 3372	1984	spoolsv.exe	spoolsv.exe
PID 1984 set thread context of 3380	1984	spoolsv.exe	diskperf.exe
PID 1728 set thread context of 3408	1728	spoolsv.exe	spoolsv.exe
PID 1728 set thread context of 3416	1728	spoolsv.exe	diskperf.exe
PID 1856 set thread context of 3444	1856	spoolsv.exe	spoolsv.exe
PID 1856 set thread context of 3452	1856	spoolsv.exe	diskperf.exe
PID 1592 set thread context of 3476	1592	spoolsv.exe	spoolsv.exe
PID 1592 set thread context of 3484	1592	spoolsv.exe	diskperf.exe
PID 1732 set thread context of 3508	1732	spoolsv.exe	spoolsv.exe
PID 1732 set thread context of 3536	1732	spoolsv.exe	diskperf.exe
PID 1636 set thread context of 3544	1636	spoolsv.exe	spoolsv.exe
PID 1636 set thread context of 3552	1636	spoolsv.exe	diskperf.exe
PID 1568 set thread context of 3576	1568	spoolsv.exe	spoolsv.exe
PID 1568 set thread context of 3584	1568	spoolsv.exe	diskperf.exe
PID 1956 set thread context of 3612	1956	spoolsv.exe	spoolsv.exe
PID 1956 set thread context of 3620	1956	spoolsv.exe	diskperf.exe
PID 1216 set thread context of 3648	1216	spoolsv.exe	spoolsv.exe
PID 1216 set thread context of 3656	1216	spoolsv.exe	diskperf.exe
PID 1064 set thread context of 3680	1064	spoolsv.exe	spoolsv.exe
PID 1064 set thread context of 3688	1064	spoolsv.exe	diskperf.exe
PID 2040 set thread context of 3716	2040	spoolsv.exe	spoolsv.exe
PID 2040 set thread context of 3724	2040	spoolsv.exe	diskperf.exe
PID 1612 set thread context of 3752	1612	spoolsv.exe	spoolsv.exe
PID 1612 set thread context of 3760	1612	spoolsv.exe	diskperf.exe
PID 1932 set thread context of 3780	1932	spoolsv.exe	spoolsv.exe
PID 1932 set thread context of 3788	1932	spoolsv.exe	diskperf.exe
PID 828 set thread context of 3816	828	spoolsv.exe	spoolsv.exe
PID 828 set thread context of 3824	828	spoolsv.exe	diskperf.exe
PID 1300 set thread context of 3852	1300	spoolsv.exe	spoolsv.exe
PID 1300 set thread context of 3860	1300	spoolsv.exe	diskperf.exe
PID 620 set thread context of 3888	620	spoolsv.exe	spoolsv.exe
PID 620 set thread context of 3896	620	spoolsv.exe	diskperf.exe
PID 856 set thread context of 3920	856	spoolsv.exe	spoolsv.exe
PID 856 set thread context of 3928	856	spoolsv.exe	diskperf.exe
PID 532 set thread context of 3948	532	spoolsv.exe	spoolsv.exe
PID 532 set thread context of 3960	532	spoolsv.exe	diskperf.exe
PID 920 set thread context of 3980	920	spoolsv.exe	spoolsv.exe
PID 1544 set thread context of 3996	1544	spoolsv.exe	spoolsv.exe
PID 920 set thread context of 3988	920	spoolsv.exe	diskperf.exe
PID 1544 set thread context of 4004	1544	spoolsv.exe	diskperf.exe
PID 1624 set thread context of 4012	1624	spoolsv.exe	spoolsv.exe
PID 1624 set thread context of 4020	1624	spoolsv.exe	diskperf.exe
PID 888 set thread context of 4040	888	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exe8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exeexplorer.exe

pid	process
1688	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1844 explorer.exe

pid	process
1844	explorer.exe

Suspicious use of SetWindowsHookEx 56 IoCs

Processes:

pid	process
1688	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
1688	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
1844	explorer.exe
3256	spoolsv.exe
3256	spoolsv.exe
3296	spoolsv.exe
3296	spoolsv.exe
3336	spoolsv.exe
3336	spoolsv.exe
3372	spoolsv.exe
3372	spoolsv.exe
3408	spoolsv.exe
3408	spoolsv.exe
3444	spoolsv.exe
3444	spoolsv.exe
3476	spoolsv.exe
3476	spoolsv.exe
3508	spoolsv.exe
3508	spoolsv.exe
3544	spoolsv.exe
3544	spoolsv.exe
3576	spoolsv.exe
3576	spoolsv.exe
3612	spoolsv.exe
3612	spoolsv.exe
3648	spoolsv.exe
3648	spoolsv.exe
3680	spoolsv.exe
3680	spoolsv.exe
3716	spoolsv.exe
3716	spoolsv.exe
3752	spoolsv.exe
3752	spoolsv.exe
3780	spoolsv.exe
3780	spoolsv.exe
3816	spoolsv.exe
3816	spoolsv.exe
3852	spoolsv.exe
3852	spoolsv.exe
3888	spoolsv.exe
3888	spoolsv.exe
3920	spoolsv.exe
3920	spoolsv.exe
3948	spoolsv.exe
3948	spoolsv.exe
3980	spoolsv.exe
3980	spoolsv.exe
3996	spoolsv.exe
3996	spoolsv.exe
4012	spoolsv.exe
4012	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 792 wrote to memory of 1688	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 792 wrote to memory of 1688	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 792 wrote to memory of 1688	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 792 wrote to memory of 1688	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 792 wrote to memory of 1688	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 792 wrote to memory of 1688	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 792 wrote to memory of 1688	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 792 wrote to memory of 1688	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 792 wrote to memory of 1688	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
PID 792 wrote to memory of 1232	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	diskperf.exe
PID 792 wrote to memory of 1232	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	diskperf.exe
PID 792 wrote to memory of 1232	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	diskperf.exe
PID 792 wrote to memory of 1232	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	diskperf.exe
PID 792 wrote to memory of 1232	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	diskperf.exe
PID 792 wrote to memory of 1232	792	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	diskperf.exe
PID 1688 wrote to memory of 816	1688	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	explorer.exe
PID 1688 wrote to memory of 816	1688	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	explorer.exe
PID 1688 wrote to memory of 816	1688	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	explorer.exe
PID 1688 wrote to memory of 816	1688	8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe	explorer.exe
PID 816 wrote to memory of 1844	816	explorer.exe	explorer.exe
PID 816 wrote to memory of 1844	816	explorer.exe	explorer.exe
PID 816 wrote to memory of 1844	816	explorer.exe	explorer.exe
PID 816 wrote to memory of 1844	816	explorer.exe	explorer.exe
PID 816 wrote to memory of 1844	816	explorer.exe	explorer.exe
PID 816 wrote to memory of 1844	816	explorer.exe	explorer.exe
PID 816 wrote to memory of 1844	816	explorer.exe	explorer.exe
PID 816 wrote to memory of 1844	816	explorer.exe	explorer.exe
PID 816 wrote to memory of 1844	816	explorer.exe	explorer.exe
PID 816 wrote to memory of 1504	816	explorer.exe	diskperf.exe
PID 816 wrote to memory of 1504	816	explorer.exe	diskperf.exe
PID 816 wrote to memory of 1504	816	explorer.exe	diskperf.exe
PID 816 wrote to memory of 1504	816	explorer.exe	diskperf.exe
PID 816 wrote to memory of 1504	816	explorer.exe	diskperf.exe
PID 816 wrote to memory of 1504	816	explorer.exe	diskperf.exe
PID 1844 wrote to memory of 1616	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1616	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1616	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1616	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1404	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1404	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1404	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1404	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1540	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1540	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1540	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1540	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1984	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1984	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1984	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1984	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1728	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1728	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1728	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1728	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1856	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1856	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1856	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1856	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1592	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1592	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1592	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1592	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1732	1844	explorer.exe	spoolsv.exe
PID 1844 wrote to memory of 1732	1844	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
"C:\Users\Admin\AppData\Local\Temp\8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe
"C:\Users\Admin\AppData\Local\Temp\8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:816

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3256

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3320

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3296

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3336

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3356

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3372

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3400

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3408

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3428

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3444

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3468

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3476

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3496

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3508

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3528

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3544

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3564

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3576

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3612

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3648

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3668

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3680

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3700

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3716

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3736

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3752

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3780

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3816

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3844

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3852

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3872

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3908

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3920

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3948

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3972

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4012

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4032

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4072

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4056

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1072

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:984

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3292

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3352

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3388

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2044

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3436

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3504

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3516

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3572

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1532

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1468

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1556

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3708

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3680

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3732

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3328

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1504

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1232

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3604

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3648

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
fab3488dffbdf592f61708e6814c1ef1

SHA1
94ec6b78f7949a3c5fe7c6078a5541235c53fa7c

SHA256
8ac310213dc8a18fc021be40d9b756e9ee61ac2b45e0ca249feae7ec177ed5ce

SHA512
c2d139ece8d85dbb78865234991a6849f137a76bd346539f38dff3b3b42be111403c9a44f23c6724a6dd1741baa69d6672b15480f4ed47d7f9886fcdf8ce6aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
f3d31dc9acc739261d9b79ca80dda8fa

SHA1
89c3a678b2fd5edd7455982eb195cdf194c79fe6

SHA256
ba3e4ee4a9a1af7cf551db45934a0faeb60a5a6fd74fa3b3c60d37ee238aa51f

SHA512
0c0a57af3fb02bb7923aeb2d065f52425af2d45d03732aad9be2cee00a1c4ee541e3f90d19f12be2ed1e7d431f71cb138de3ab7325df0d338efeab349b6d4f51

Download Submit
C:\Windows\system\explorer.exe
MD5
f3d31dc9acc739261d9b79ca80dda8fa

SHA1
89c3a678b2fd5edd7455982eb195cdf194c79fe6

SHA256
ba3e4ee4a9a1af7cf551db45934a0faeb60a5a6fd74fa3b3c60d37ee238aa51f

SHA512
0c0a57af3fb02bb7923aeb2d065f52425af2d45d03732aad9be2cee00a1c4ee541e3f90d19f12be2ed1e7d431f71cb138de3ab7325df0d338efeab349b6d4f51

Download Submit
C:\Windows\system\explorer.exe
MD5
f3d31dc9acc739261d9b79ca80dda8fa

SHA1
89c3a678b2fd5edd7455982eb195cdf194c79fe6

SHA256
ba3e4ee4a9a1af7cf551db45934a0faeb60a5a6fd74fa3b3c60d37ee238aa51f

SHA512
0c0a57af3fb02bb7923aeb2d065f52425af2d45d03732aad9be2cee00a1c4ee541e3f90d19f12be2ed1e7d431f71cb138de3ab7325df0d338efeab349b6d4f51

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\??\c:\windows\system\explorer.exe
MD5
f3d31dc9acc739261d9b79ca80dda8fa

SHA1
89c3a678b2fd5edd7455982eb195cdf194c79fe6

SHA256
ba3e4ee4a9a1af7cf551db45934a0faeb60a5a6fd74fa3b3c60d37ee238aa51f

SHA512
0c0a57af3fb02bb7923aeb2d065f52425af2d45d03732aad9be2cee00a1c4ee541e3f90d19f12be2ed1e7d431f71cb138de3ab7325df0d338efeab349b6d4f51

Download Submit
\Windows\system\explorer.exe
MD5
f3d31dc9acc739261d9b79ca80dda8fa

SHA1
89c3a678b2fd5edd7455982eb195cdf194c79fe6

SHA256
ba3e4ee4a9a1af7cf551db45934a0faeb60a5a6fd74fa3b3c60d37ee238aa51f

SHA512
0c0a57af3fb02bb7923aeb2d065f52425af2d45d03732aad9be2cee00a1c4ee541e3f90d19f12be2ed1e7d431f71cb138de3ab7325df0d338efeab349b6d4f51

Download Submit
\Windows\system\explorer.exe
MD5
f3d31dc9acc739261d9b79ca80dda8fa

SHA1
89c3a678b2fd5edd7455982eb195cdf194c79fe6

SHA256
ba3e4ee4a9a1af7cf551db45934a0faeb60a5a6fd74fa3b3c60d37ee238aa51f

SHA512
0c0a57af3fb02bb7923aeb2d065f52425af2d45d03732aad9be2cee00a1c4ee541e3f90d19f12be2ed1e7d431f71cb138de3ab7325df0d338efeab349b6d4f51

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
\Windows\system\spoolsv.exe
MD5
5840915355895b0b0daee9244e6dc2e0

SHA1
8b0c4fa244ce75bf4235a4a149520187744a25a0

SHA256
c946cac9fa13c2996447162875815a57b0d8fb83722c73484f1ffa34f8eced39

SHA512
6439d48d6d5bd44ceb99282152ff8aa8bc06244429d9d0bb975b3d6f4d99b4925618647517687cfe79cd1b7d658153e6a42a3e876e7935cf5af9cc347d412378

Download Submit
memory/276-257-0x0000000000000000-mapping.dmp

Download
memory/276-266-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/328-272-0x0000000000000000-mapping.dmp

Download
memory/380-295-0x0000000000000000-mapping.dmp

Download
memory/532-220-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/532-210-0x0000000000000000-mapping.dmp

Download
memory/596-308-0x0000000000000000-mapping.dmp

Download
memory/596-313-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/620-203-0x0000000000000000-mapping.dmp

Download
memory/620-207-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/792-61-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/792-60-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/816-78-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/816-75-0x0000000000000000-mapping.dmp

Download
memory/820-291-0x0000000000000000-mapping.dmp

Download
memory/820-300-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/828-195-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/828-190-0x0000000000000000-mapping.dmp

Download
memory/832-298-0x0000000000000000-mapping.dmp

Download
memory/856-208-0x0000000000000000-mapping.dmp

Download
memory/856-218-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/888-223-0x0000000000000000-mapping.dmp

Download
memory/888-237-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/920-221-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/920-212-0x0000000000000000-mapping.dmp

Download
memory/948-270-0x0000000000000000-mapping.dmp

Download
memory/948-283-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/980-280-0x0000000000000000-mapping.dmp

Download
memory/980-288-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1020-296-0x0000000000000000-mapping.dmp

Download
memory/1020-304-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1064-177-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1064-166-0x0000000000000000-mapping.dmp

Download
memory/1100-243-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1100-229-0x0000000000000000-mapping.dmp

Download
memory/1196-302-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1196-294-0x0000000000000000-mapping.dmp

Download
memory/1208-249-0x0000000000000000-mapping.dmp

Download
memory/1208-262-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1216-168-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1216-161-0x0000000000000000-mapping.dmp

Download
memory/1232-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1232-67-0x0000000000411000-mapping.dmp

Download
memory/1232-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1296-289-0x0000000000000000-mapping.dmp

Download
memory/1300-206-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1300-198-0x0000000000000000-mapping.dmp

Download
memory/1312-293-0x0000000000000000-mapping.dmp

Download
memory/1312-301-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1328-227-0x0000000000000000-mapping.dmp

Download
memory/1360-276-0x0000000000000000-mapping.dmp

Download
memory/1404-108-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1404-101-0x0000000000000000-mapping.dmp

Download
memory/1408-261-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1408-247-0x0000000000000000-mapping.dmp

Download
memory/1472-233-0x0000000000000000-mapping.dmp

Download
memory/1472-245-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1496-312-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1496-307-0x0000000000000000-mapping.dmp

Download
memory/1504-86-0x0000000000411000-mapping.dmp

Download
memory/1532-251-0x0000000000000000-mapping.dmp

Download
memory/1540-116-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1540-107-0x0000000000000000-mapping.dmp

Download
memory/1544-214-0x0000000000000000-mapping.dmp

Download
memory/1556-255-0x0000000000000000-mapping.dmp

Download
memory/1556-265-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1568-149-0x0000000000000000-mapping.dmp

Download
memory/1568-156-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1580-314-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1580-309-0x0000000000000000-mapping.dmp

Download
memory/1592-141-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1592-131-0x0000000000000000-mapping.dmp

Download
memory/1596-310-0x0000000000000000-mapping.dmp

Download
memory/1596-315-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1600-278-0x0000000000000000-mapping.dmp

Download
memory/1612-193-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1612-179-0x0000000000000000-mapping.dmp

Download
memory/1616-105-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1616-96-0x0000000000000000-mapping.dmp

Download
memory/1624-216-0x0000000000000000-mapping.dmp

Download
memory/1624-219-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1632-231-0x0000000000000000-mapping.dmp

Download
memory/1636-143-0x0000000000000000-mapping.dmp

Download
memory/1636-155-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1676-235-0x0000000000000000-mapping.dmp

Download
memory/1676-246-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1688-264-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1688-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-63-0x0000000000403670-mapping.dmp

Download
memory/1688-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-253-0x0000000000000000-mapping.dmp

Download
memory/1692-259-0x0000000000000000-mapping.dmp

Download
memory/1692-267-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1728-129-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1728-120-0x0000000000000000-mapping.dmp

Download
memory/1732-137-0x0000000000000000-mapping.dmp

Download
memory/1732-144-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1776-297-0x0000000000000000-mapping.dmp

Download
memory/1796-311-0x0000000000000000-mapping.dmp

Download
memory/1816-274-0x0000000000000000-mapping.dmp

Download
memory/1844-81-0x0000000000403670-mapping.dmp

Download
memory/1856-132-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1856-125-0x0000000000000000-mapping.dmp

Download
memory/1932-194-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1932-185-0x0000000000000000-mapping.dmp

Download
memory/1952-225-0x0000000000000000-mapping.dmp

Download
memory/1956-154-0x0000000000000000-mapping.dmp

Download
memory/1956-167-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1984-117-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1984-113-0x0000000000000000-mapping.dmp

Download
memory/2016-268-0x0000000000000000-mapping.dmp

Download
memory/2040-180-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2040-173-0x0000000000000000-mapping.dmp

Download
memory/2044-242-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2044-238-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads