warzonerat | 29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713

Analysis

max time kernel
142s
max time network
148s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
Size

1.8MB
MD5

ca44c4e684beb00dc8085b73edec55c8
SHA1

934b397db56b99409b8c553bce0859231d84ce07
SHA256

29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713
SHA512

0ebf4b939fadecb31a6f01911dccac3d96a62931f8f882d92a218654d0cfcb6de8d7e95ba572a90a4d648258ff5246b5e0f58e05362bec5e472bfe3509d60355

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
332	explorer.exe
932	explorer.exe
560	spoolsv.exe
1724	spoolsv.exe
1556	spoolsv.exe
796	spoolsv.exe
540	spoolsv.exe
1480	spoolsv.exe
2028	spoolsv.exe
1592	spoolsv.exe
976	spoolsv.exe
2004	spoolsv.exe
1052	spoolsv.exe
396	spoolsv.exe
592	spoolsv.exe
1820	spoolsv.exe
272	spoolsv.exe
1484	spoolsv.exe
1516	spoolsv.exe
1528	spoolsv.exe
568	spoolsv.exe
1868	spoolsv.exe
276	spoolsv.exe
1620	spoolsv.exe
1756	spoolsv.exe
1596	spoolsv.exe
1624	spoolsv.exe
1064	spoolsv.exe
1652	spoolsv.exe
1984	spoolsv.exe
1852	spoolsv.exe
1644	spoolsv.exe
1700	spoolsv.exe
768	spoolsv.exe
288	spoolsv.exe
268	spoolsv.exe
1544	spoolsv.exe
1308	spoolsv.exe
1608	spoolsv.exe
612	spoolsv.exe
896	spoolsv.exe
1148	spoolsv.exe
552	spoolsv.exe
1296	spoolsv.exe
1364	spoolsv.exe
2032	spoolsv.exe
1384	spoolsv.exe
1272	spoolsv.exe
904	spoolsv.exe
1612	spoolsv.exe
2036	spoolsv.exe
472	spoolsv.exe
1872	spoolsv.exe
1928	spoolsv.exe
1764	spoolsv.exe
772	spoolsv.exe
828	spoolsv.exe
864	spoolsv.exe
1712	spoolsv.exe
844	spoolsv.exe
1300	spoolsv.exe
1688	spoolsv.exe
1572	spoolsv.exe
1112	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exeexplorer.exe

pid	process
1580	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
1580	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe

Adds Run key to start application 2 TTPs 35 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 63 IoCs

Processes:

29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1048 set thread context of 1580	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1048 set thread context of 112	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	diskperf.exe
PID 332 set thread context of 932	332	explorer.exe	explorer.exe
PID 332 set thread context of 1172	332	explorer.exe	diskperf.exe
PID 560 set thread context of 3204	560	spoolsv.exe	spoolsv.exe
PID 560 set thread context of 3212	560	spoolsv.exe	diskperf.exe
PID 1724 set thread context of 3244	1724	spoolsv.exe	spoolsv.exe
PID 1724 set thread context of 3252	1724	spoolsv.exe	diskperf.exe
PID 1556 set thread context of 3280	1556	spoolsv.exe	spoolsv.exe
PID 1556 set thread context of 3288	1556	spoolsv.exe	diskperf.exe
PID 796 set thread context of 3316	796	spoolsv.exe	spoolsv.exe
PID 796 set thread context of 3324	796	spoolsv.exe	diskperf.exe
PID 540 set thread context of 3352	540	spoolsv.exe	spoolsv.exe
PID 540 set thread context of 3360	540	spoolsv.exe	diskperf.exe
PID 1480 set thread context of 3384	1480	spoolsv.exe	spoolsv.exe
PID 1480 set thread context of 3392	1480	spoolsv.exe	diskperf.exe
PID 2028 set thread context of 3420	2028	spoolsv.exe	spoolsv.exe
PID 2028 set thread context of 3428	2028	spoolsv.exe	diskperf.exe
PID 1592 set thread context of 3460	1592	spoolsv.exe	spoolsv.exe
PID 1592 set thread context of 3468	1592	spoolsv.exe	diskperf.exe
PID 976 set thread context of 3496	976	spoolsv.exe	spoolsv.exe
PID 976 set thread context of 3504	976	spoolsv.exe	diskperf.exe
PID 2004 set thread context of 3532	2004	spoolsv.exe	spoolsv.exe
PID 2004 set thread context of 3540	2004	spoolsv.exe	diskperf.exe
PID 1052 set thread context of 3568	1052	spoolsv.exe	spoolsv.exe
PID 1052 set thread context of 3576	1052	spoolsv.exe	diskperf.exe
PID 396 set thread context of 3596	396	spoolsv.exe	spoolsv.exe
PID 396 set thread context of 3604	396	spoolsv.exe	diskperf.exe
PID 592 set thread context of 3628	592	spoolsv.exe	spoolsv.exe
PID 592 set thread context of 3636	592	spoolsv.exe	diskperf.exe
PID 1820 set thread context of 3664	1820	spoolsv.exe	spoolsv.exe
PID 1820 set thread context of 3672	1820	spoolsv.exe	diskperf.exe
PID 272 set thread context of 3696	272	spoolsv.exe	spoolsv.exe
PID 272 set thread context of 3704	272	spoolsv.exe	diskperf.exe
PID 1484 set thread context of 3724	1484	spoolsv.exe	spoolsv.exe
PID 1484 set thread context of 3732	1484	spoolsv.exe	diskperf.exe
PID 1516 set thread context of 3756	1516	spoolsv.exe	spoolsv.exe
PID 1516 set thread context of 3764	1516	spoolsv.exe	diskperf.exe
PID 1528 set thread context of 3784	1528	spoolsv.exe	spoolsv.exe
PID 1528 set thread context of 3792	1528	spoolsv.exe	diskperf.exe
PID 568 set thread context of 3820	568	spoolsv.exe	spoolsv.exe
PID 568 set thread context of 3840	568	spoolsv.exe	diskperf.exe
PID 1868 set thread context of 3848	1868	spoolsv.exe	spoolsv.exe
PID 1868 set thread context of 3856	1868	spoolsv.exe	diskperf.exe
PID 276 set thread context of 3876	276	spoolsv.exe	spoolsv.exe
PID 276 set thread context of 3884	276	spoolsv.exe	diskperf.exe
PID 1620 set thread context of 3904	1620	spoolsv.exe	spoolsv.exe
PID 1620 set thread context of 3912	1620	spoolsv.exe	diskperf.exe
PID 1756 set thread context of 3932	1756	spoolsv.exe	spoolsv.exe
PID 1756 set thread context of 3952	1756	spoolsv.exe	diskperf.exe
PID 1596 set thread context of 3960	1596	spoolsv.exe	spoolsv.exe
PID 1596 set thread context of 3968	1596	spoolsv.exe	diskperf.exe
PID 1064 set thread context of 3980	1064	spoolsv.exe	spoolsv.exe
PID 1064 set thread context of 3988	1064	spoolsv.exe	diskperf.exe
PID 1624 set thread context of 3996	1624	spoolsv.exe	spoolsv.exe
PID 1624 set thread context of 4016	1624	spoolsv.exe	diskperf.exe
PID 1652 set thread context of 4024	1652	spoolsv.exe	spoolsv.exe
PID 1652 set thread context of 4032	1652	spoolsv.exe	diskperf.exe
PID 1984 set thread context of 4048	1984	spoolsv.exe	diskperf.exe
PID 1852 set thread context of 4040	1852	spoolsv.exe	spoolsv.exe
PID 1852 set thread context of 4076	1852	spoolsv.exe	diskperf.exe
PID 1984 set thread context of 4056	1984	spoolsv.exe	diskperf.exe
PID 1644 set thread context of 4088	1644	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exeexplorer.exe

pid	process
1580	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

932 explorer.exe

pid	process
932	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1580	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
1580	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
932	explorer.exe
3204	spoolsv.exe
3204	spoolsv.exe
3244	spoolsv.exe
3244	spoolsv.exe
3280	spoolsv.exe
3280	spoolsv.exe
3316	spoolsv.exe
3316	spoolsv.exe
3352	spoolsv.exe
3352	spoolsv.exe
3384	spoolsv.exe
3384	spoolsv.exe
3420	spoolsv.exe
3420	spoolsv.exe
3460	spoolsv.exe
3460	spoolsv.exe
3496	spoolsv.exe
3496	spoolsv.exe
3532	spoolsv.exe
3532	spoolsv.exe
3568	spoolsv.exe
3568	spoolsv.exe
3596	spoolsv.exe
3596	spoolsv.exe
3628	spoolsv.exe
3628	spoolsv.exe
3664	spoolsv.exe
3664	spoolsv.exe
3696	spoolsv.exe
3696	spoolsv.exe
3724	spoolsv.exe
3724	spoolsv.exe
3756	spoolsv.exe
3756	spoolsv.exe
3784	spoolsv.exe
3784	spoolsv.exe
3820	spoolsv.exe
3820	spoolsv.exe
3848	spoolsv.exe
3848	spoolsv.exe
3876	spoolsv.exe
3876	spoolsv.exe
3904	spoolsv.exe
3904	spoolsv.exe
3932	spoolsv.exe
3932	spoolsv.exe
3960	spoolsv.exe
3960	spoolsv.exe
3980	spoolsv.exe
3980	spoolsv.exe
3996	spoolsv.exe
4024	spoolsv.exe
3996	diskperf.exe
4024	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
4048	diskperf.exe
4048	diskperf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1048 wrote to memory of 1580	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1048 wrote to memory of 1580	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1048 wrote to memory of 1580	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1048 wrote to memory of 1580	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1048 wrote to memory of 1580	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1048 wrote to memory of 1580	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1048 wrote to memory of 1580	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1048 wrote to memory of 1580	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1048 wrote to memory of 1580	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1048 wrote to memory of 112	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	diskperf.exe
PID 1048 wrote to memory of 112	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	diskperf.exe
PID 1048 wrote to memory of 112	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	diskperf.exe
PID 1048 wrote to memory of 112	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	diskperf.exe
PID 1048 wrote to memory of 112	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	diskperf.exe
PID 1048 wrote to memory of 112	1048	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	diskperf.exe
PID 1580 wrote to memory of 332	1580	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	explorer.exe
PID 1580 wrote to memory of 332	1580	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	explorer.exe
PID 1580 wrote to memory of 332	1580	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	explorer.exe
PID 1580 wrote to memory of 332	1580	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	explorer.exe
PID 332 wrote to memory of 932	332	explorer.exe	explorer.exe
PID 332 wrote to memory of 932	332	explorer.exe	explorer.exe
PID 332 wrote to memory of 932	332	explorer.exe	explorer.exe
PID 332 wrote to memory of 932	332	explorer.exe	explorer.exe
PID 332 wrote to memory of 932	332	explorer.exe	explorer.exe
PID 332 wrote to memory of 932	332	explorer.exe	explorer.exe
PID 332 wrote to memory of 932	332	explorer.exe	explorer.exe
PID 332 wrote to memory of 932	332	explorer.exe	explorer.exe
PID 332 wrote to memory of 932	332	explorer.exe	explorer.exe
PID 332 wrote to memory of 1172	332	explorer.exe	diskperf.exe
PID 332 wrote to memory of 1172	332	explorer.exe	diskperf.exe
PID 332 wrote to memory of 1172	332	explorer.exe	diskperf.exe
PID 332 wrote to memory of 1172	332	explorer.exe	diskperf.exe
PID 332 wrote to memory of 1172	332	explorer.exe	diskperf.exe
PID 332 wrote to memory of 1172	332	explorer.exe	diskperf.exe
PID 932 wrote to memory of 560	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 560	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 560	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 560	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 1724	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 1724	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 1724	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 1724	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 1556	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 1556	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 1556	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 1556	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 796	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 796	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 796	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 796	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 540	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 540	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 540	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 540	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 1480	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 1480	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 1480	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 1480	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 2028	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 2028	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 2028	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 2028	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 1592	932	explorer.exe	spoolsv.exe
PID 932 wrote to memory of 1592	932	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
"C:\Users\Admin\AppData\Local\Temp\29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
"C:\Users\Admin\AppData\Local\Temp\29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:332

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3204

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3236

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3244

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3264

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3280

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3300

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3316

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3344

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3352

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3384

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3404

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3420

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3440

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3460

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3484

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3496

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3516

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3532

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3568

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3588

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3596

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3620

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3628

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3648

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3664

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3684

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3696

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3716

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3724

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3744

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3756

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3776

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3784

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3820

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3832

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3848

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3876

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3904

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3924

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3960

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3980

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4008

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4048

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4040

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4068

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4088

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3272

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3228

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1392

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3336

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3368

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3416

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3400

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3452

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:912

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3524

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1608

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1996

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3552

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3572

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3616

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3668

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3728

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3760

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3800

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1324

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3876

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3908

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3964

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1232

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1716

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1160

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4040

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3232

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3276

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3296

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1712

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3424

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1636

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1672

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:316

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3552

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1380

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3664

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:960

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3824

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:532

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1844

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3940

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:956

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1692

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4040

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3308

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3276

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2008

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1636

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1372

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:960

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:532

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1660

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1232

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3196

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1172

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:112

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3944

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
ca44c4e684beb00dc8085b73edec55c8

SHA1
934b397db56b99409b8c553bce0859231d84ce07

SHA256
29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713

SHA512
0ebf4b939fadecb31a6f01911dccac3d96a62931f8f882d92a218654d0cfcb6de8d7e95ba572a90a4d648258ff5246b5e0f58e05362bec5e472bfe3509d60355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
c7dd27a2bb4b1a076ab00441403f04c3

SHA1
d227ca0c369b0b27c19f3cef41c58c683a56094b

SHA256
9e0c2681882dd6213a816df112f3a7ce386748483d9dade97edb30ad32385202

SHA512
76bd033ccd5158abb12bd688734e859eeefa2b436ff2884f1ade4675108dc5031b8b0fd15dac3fd1bcf4a18c8af76ee7dd8cab2beb15484791d9a63f92026ea4

Download Submit
C:\Windows\system\explorer.exe
MD5
c7dd27a2bb4b1a076ab00441403f04c3

SHA1
d227ca0c369b0b27c19f3cef41c58c683a56094b

SHA256
9e0c2681882dd6213a816df112f3a7ce386748483d9dade97edb30ad32385202

SHA512
76bd033ccd5158abb12bd688734e859eeefa2b436ff2884f1ade4675108dc5031b8b0fd15dac3fd1bcf4a18c8af76ee7dd8cab2beb15484791d9a63f92026ea4

Download Submit
C:\Windows\system\explorer.exe
MD5
c7dd27a2bb4b1a076ab00441403f04c3

SHA1
d227ca0c369b0b27c19f3cef41c58c683a56094b

SHA256
9e0c2681882dd6213a816df112f3a7ce386748483d9dade97edb30ad32385202

SHA512
76bd033ccd5158abb12bd688734e859eeefa2b436ff2884f1ade4675108dc5031b8b0fd15dac3fd1bcf4a18c8af76ee7dd8cab2beb15484791d9a63f92026ea4

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
C:\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\??\c:\windows\system\explorer.exe
MD5
c7dd27a2bb4b1a076ab00441403f04c3

SHA1
d227ca0c369b0b27c19f3cef41c58c683a56094b

SHA256
9e0c2681882dd6213a816df112f3a7ce386748483d9dade97edb30ad32385202

SHA512
76bd033ccd5158abb12bd688734e859eeefa2b436ff2884f1ade4675108dc5031b8b0fd15dac3fd1bcf4a18c8af76ee7dd8cab2beb15484791d9a63f92026ea4

Download Submit
\Windows\system\explorer.exe
MD5
c7dd27a2bb4b1a076ab00441403f04c3

SHA1
d227ca0c369b0b27c19f3cef41c58c683a56094b

SHA256
9e0c2681882dd6213a816df112f3a7ce386748483d9dade97edb30ad32385202

SHA512
76bd033ccd5158abb12bd688734e859eeefa2b436ff2884f1ade4675108dc5031b8b0fd15dac3fd1bcf4a18c8af76ee7dd8cab2beb15484791d9a63f92026ea4

Download Submit
\Windows\system\explorer.exe
MD5
c7dd27a2bb4b1a076ab00441403f04c3

SHA1
d227ca0c369b0b27c19f3cef41c58c683a56094b

SHA256
9e0c2681882dd6213a816df112f3a7ce386748483d9dade97edb30ad32385202

SHA512
76bd033ccd5158abb12bd688734e859eeefa2b436ff2884f1ade4675108dc5031b8b0fd15dac3fd1bcf4a18c8af76ee7dd8cab2beb15484791d9a63f92026ea4

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
\Windows\system\spoolsv.exe
MD5
935c99e792bbeb81daa9748cb3df0865

SHA1
664f7341e19938763592a303cc35a727ceef3bd4

SHA256
e8098de64cf2a2696000c50c7ac59f511b6efae60ee54cf231333b8ae9633d85

SHA512
190bd9e08595d1edfabdfdd4b9efd3cec43c5bd1e57fa27e0b61913d286b5240d6134f0a554c56889a443ed8ad812e4ccfde959d09cf86d03cd666f24d4953ec

Download Submit
memory/112-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/112-65-0x0000000000411000-mapping.dmp

Download
memory/112-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/268-244-0x0000000000000000-mapping.dmp

Download
memory/268-253-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/272-179-0x0000000000000000-mapping.dmp

Download
memory/272-187-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/276-208-0x0000000000000000-mapping.dmp

Download
memory/276-213-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/288-242-0x0000000000000000-mapping.dmp

Download
memory/332-77-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/332-74-0x0000000000000000-mapping.dmp

Download
memory/396-161-0x0000000000000000-mapping.dmp

Download
memory/396-174-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/472-302-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/472-296-0x0000000000000000-mapping.dmp

Download
memory/540-122-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/540-117-0x0000000000000000-mapping.dmp

Download
memory/552-275-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/552-265-0x0000000000000000-mapping.dmp

Download
memory/560-95-0x0000000000000000-mapping.dmp

Download
memory/560-103-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/568-203-0x0000000000000000-mapping.dmp

Download
memory/592-166-0x0000000000000000-mapping.dmp

Download
memory/612-259-0x0000000000000000-mapping.dmp

Download
memory/768-240-0x0000000000000000-mapping.dmp

Download
memory/772-308-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/772-300-0x0000000000000000-mapping.dmp

Download
memory/796-121-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/796-112-0x0000000000000000-mapping.dmp

Download
memory/828-309-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/828-301-0x0000000000000000-mapping.dmp

Download
memory/844-311-0x0000000000000000-mapping.dmp

Download
memory/844-314-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/864-303-0x0000000000000000-mapping.dmp

Download
memory/896-271-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/896-261-0x0000000000000000-mapping.dmp

Download
memory/904-284-0x0000000000000000-mapping.dmp

Download
memory/932-80-0x0000000000403670-mapping.dmp

Download
memory/976-146-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/976-142-0x0000000000000000-mapping.dmp

Download
memory/1048-59-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1048-60-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1052-154-0x0000000000000000-mapping.dmp

Download
memory/1052-159-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1064-231-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1064-221-0x0000000000000000-mapping.dmp

Download
memory/1148-273-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1148-263-0x0000000000000000-mapping.dmp

Download
memory/1172-85-0x0000000000411000-mapping.dmp

Download
memory/1272-282-0x0000000000000000-mapping.dmp

Download
memory/1272-292-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1296-268-0x0000000000000000-mapping.dmp

Download
memory/1300-312-0x0000000000000000-mapping.dmp

Download
memory/1308-267-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1308-255-0x0000000000000000-mapping.dmp

Download
memory/1364-276-0x0000000000000000-mapping.dmp

Download
memory/1364-289-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1384-280-0x0000000000000000-mapping.dmp

Download
memory/1480-133-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1480-125-0x0000000000000000-mapping.dmp

Download
memory/1484-184-0x0000000000000000-mapping.dmp

Download
memory/1484-188-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1516-191-0x0000000000000000-mapping.dmp

Download
memory/1516-199-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1528-200-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1528-196-0x0000000000000000-mapping.dmp

Download
memory/1544-248-0x0000000000000000-mapping.dmp

Download
memory/1556-106-0x0000000000000000-mapping.dmp

Download
memory/1556-119-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1580-62-0x0000000000403670-mapping.dmp

Download
memory/1580-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1580-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1592-145-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1592-137-0x0000000000000000-mapping.dmp

Download
memory/1596-229-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1596-217-0x0000000000000000-mapping.dmp

Download
memory/1608-269-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1608-257-0x0000000000000000-mapping.dmp

Download
memory/1612-286-0x0000000000000000-mapping.dmp

Download
memory/1620-227-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1620-211-0x0000000000000000-mapping.dmp

Download
memory/1624-219-0x0000000000000000-mapping.dmp

Download
memory/1624-230-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1644-236-0x0000000000000000-mapping.dmp

Download
memory/1652-223-0x0000000000000000-mapping.dmp

Download
memory/1652-232-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1700-249-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1700-238-0x0000000000000000-mapping.dmp

Download
memory/1712-313-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1712-310-0x0000000000000000-mapping.dmp

Download
memory/1724-107-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1724-100-0x0000000000000000-mapping.dmp

Download
memory/1756-215-0x0000000000000000-mapping.dmp

Download
memory/1764-306-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1764-299-0x0000000000000000-mapping.dmp

Download
memory/1820-171-0x0000000000000000-mapping.dmp

Download
memory/1820-175-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1852-234-0x0000000000000000-mapping.dmp

Download
memory/1852-246-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1868-206-0x0000000000000000-mapping.dmp

Download
memory/1872-297-0x0000000000000000-mapping.dmp

Download
memory/1928-298-0x0000000000000000-mapping.dmp

Download
memory/1984-225-0x0000000000000000-mapping.dmp

Download
memory/2004-157-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2004-149-0x0000000000000000-mapping.dmp

Download
memory/2028-130-0x0000000000000000-mapping.dmp

Download
memory/2028-134-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2032-290-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2032-278-0x0000000000000000-mapping.dmp

Download
memory/2036-295-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2036-288-0x0000000000000000-mapping.dmp

Download