warzonerat | dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45

Analysis

max time kernel
137s
max time network
126s
platform
windows10_x64
resource
win10v20210410
submitted
04-05-2021 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
Size

1.8MB
MD5

c1ad5f2ef3adc0df53f806aae1b0429b
SHA1

2f132de302815f8eb4d5b0595d15c3728144d84a
SHA256

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45
SHA512

7c0013dddb9bb01ea2bc0a72492e2df754c9a6ca9b08eb3a7171eb79a3e090107503947ded8dd92f9143719b2b9f3facabaab4bd39a7e5ab476ad5232c658d96

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3340	explorer.exe
1296	explorer.exe
3868	spoolsv.exe
4036	spoolsv.exe
1400	spoolsv.exe
1808	spoolsv.exe
2776	spoolsv.exe
2548	spoolsv.exe
3996	spoolsv.exe
2812	spoolsv.exe
2068	spoolsv.exe
2828	spoolsv.exe
680	spoolsv.exe
2260	spoolsv.exe
2240	spoolsv.exe
2676	spoolsv.exe
1052	spoolsv.exe
3152	spoolsv.exe
972	spoolsv.exe
3464	spoolsv.exe
3968	spoolsv.exe
1492	spoolsv.exe
1504	spoolsv.exe
860	spoolsv.exe
1056	spoolsv.exe
1996	spoolsv.exe
3376	spoolsv.exe
900	spoolsv.exe
3900	spoolsv.exe
1468	spoolsv.exe
3728	spoolsv.exe
2568	spoolsv.exe
3016	spoolsv.exe
2848	spoolsv.exe
2484	spoolsv.exe
3156	spoolsv.exe
2248	spoolsv.exe
3716	spoolsv.exe
3612	spoolsv.exe
3568	spoolsv.exe
2216	spoolsv.exe
2292	spoolsv.exe
3684	spoolsv.exe
1460	spoolsv.exe
1280	spoolsv.exe
2196	spoolsv.exe
3960	spoolsv.exe
4104	spoolsv.exe
4128	spoolsv.exe
4152	spoolsv.exe
4188	spoolsv.exe
4212	spoolsv.exe
4236	spoolsv.exe
4260	spoolsv.exe
4300	spoolsv.exe
4324	spoolsv.exe
4348	spoolsv.exe
4384	spoolsv.exe
4408	spoolsv.exe
4432	spoolsv.exe
4468	spoolsv.exe
4488	spoolsv.exe
4504	spoolsv.exe
4520	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 39 IoCs

Processes:

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 3176 set thread context of 3604	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 3176 set thread context of 3792	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	diskperf.exe
PID 3340 set thread context of 1296	3340	explorer.exe	explorer.exe
PID 3340 set thread context of 2104	3340	explorer.exe	diskperf.exe
PID 3868 set thread context of 6576	3868	spoolsv.exe	spoolsv.exe
PID 3868 set thread context of 6596	3868	spoolsv.exe	diskperf.exe
PID 4036 set thread context of 6680	4036	spoolsv.exe	spoolsv.exe
PID 4036 set thread context of 6696	4036	spoolsv.exe	diskperf.exe
PID 1400 set thread context of 6756	1400	spoolsv.exe	spoolsv.exe
PID 1400 set thread context of 6772	1400	spoolsv.exe	diskperf.exe
PID 1808 set thread context of 6836	1808	spoolsv.exe	spoolsv.exe
PID 1808 set thread context of 6860	1808	spoolsv.exe	diskperf.exe
PID 2776 set thread context of 6900	2776	spoolsv.exe	spoolsv.exe
PID 2548 set thread context of 6932	2548	spoolsv.exe	spoolsv.exe
PID 2548 set thread context of 6952	2548	spoolsv.exe	diskperf.exe
PID 3996 set thread context of 7012	3996	spoolsv.exe	spoolsv.exe
PID 3996 set thread context of 7044	3996	spoolsv.exe	diskperf.exe
PID 2812 set thread context of 7060	2812	spoolsv.exe	spoolsv.exe
PID 2068 set thread context of 7112	2068	spoolsv.exe	spoolsv.exe
PID 2068 set thread context of 7136	2068	spoolsv.exe	diskperf.exe
PID 2828 set thread context of 7152	2828	spoolsv.exe	spoolsv.exe
PID 2828 set thread context of 7164	2828	spoolsv.exe	diskperf.exe
PID 680 set thread context of 3896	680	spoolsv.exe	spoolsv.exe
PID 2260 set thread context of 6580	2260	spoolsv.exe	spoolsv.exe
PID 2240 set thread context of 6764	2240	spoolsv.exe	spoolsv.exe
PID 2240 set thread context of 1208	2240	spoolsv.exe	diskperf.exe
PID 2676 set thread context of 6856	2676	spoolsv.exe	spoolsv.exe
PID 2676 set thread context of 6768	2676	spoolsv.exe	diskperf.exe
PID 1052 set thread context of 6908	1052	spoolsv.exe	spoolsv.exe
PID 1052 set thread context of 1204	1052	spoolsv.exe	diskperf.exe
PID 3152 set thread context of 7004	3152	spoolsv.exe	spoolsv.exe
PID 3152 set thread context of 6996	3152	spoolsv.exe	diskperf.exe
PID 972 set thread context of 3772	972	spoolsv.exe	spoolsv.exe
PID 3464 set thread context of 7080	3464	spoolsv.exe	spoolsv.exe
PID 3464 set thread context of 7108	3464	spoolsv.exe	diskperf.exe
PID 3968 set thread context of 7116	3968	spoolsv.exe	spoolsv.exe
PID 3968 set thread context of 1676	3968	spoolsv.exe	diskperf.exe
PID 1492 set thread context of 6628	1492	spoolsv.exe	spoolsv.exe
PID 1504 set thread context of 6740	1504	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exeexplorer.exe

pid	process
3604	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
3604	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1296 explorer.exe

pid	process
1296	explorer.exe

Suspicious use of SetWindowsHookEx 46 IoCs

Processes:

pid	process
3604	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
3604	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
1296	explorer.exe
6576	spoolsv.exe
6576	spoolsv.exe
6680	spoolsv.exe
6680	spoolsv.exe
6756	spoolsv.exe
6756	spoolsv.exe
6836	spoolsv.exe
6836	spoolsv.exe
6900	spoolsv.exe
6900	spoolsv.exe
6932	spoolsv.exe
6932	spoolsv.exe
7012	spoolsv.exe
7012	spoolsv.exe
7060	spoolsv.exe
7060	spoolsv.exe
7112	spoolsv.exe
7112	spoolsv.exe
7152	spoolsv.exe
7152	spoolsv.exe
3896	spoolsv.exe
3896	spoolsv.exe
6580	spoolsv.exe
6580	spoolsv.exe
6764	spoolsv.exe
6764	spoolsv.exe
6856	spoolsv.exe
6856	spoolsv.exe
6908	spoolsv.exe
6908	spoolsv.exe
7004	spoolsv.exe
7004	spoolsv.exe
3772	spoolsv.exe
3772	spoolsv.exe
7080	spoolsv.exe
7080	spoolsv.exe
7116	spoolsv.exe
7116	spoolsv.exe
6628	spoolsv.exe
6628	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exedd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3176 wrote to memory of 3604	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 3176 wrote to memory of 3604	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 3176 wrote to memory of 3604	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 3176 wrote to memory of 3604	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 3176 wrote to memory of 3604	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 3176 wrote to memory of 3604	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 3176 wrote to memory of 3604	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 3176 wrote to memory of 3604	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
PID 3176 wrote to memory of 3792	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	diskperf.exe
PID 3176 wrote to memory of 3792	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	diskperf.exe
PID 3176 wrote to memory of 3792	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	diskperf.exe
PID 3176 wrote to memory of 3792	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	diskperf.exe
PID 3176 wrote to memory of 3792	3176	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	diskperf.exe
PID 3604 wrote to memory of 3340	3604	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	explorer.exe
PID 3604 wrote to memory of 3340	3604	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	explorer.exe
PID 3604 wrote to memory of 3340	3604	dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe	explorer.exe
PID 3340 wrote to memory of 1296	3340	explorer.exe	explorer.exe
PID 3340 wrote to memory of 1296	3340	explorer.exe	explorer.exe
PID 3340 wrote to memory of 1296	3340	explorer.exe	explorer.exe
PID 3340 wrote to memory of 1296	3340	explorer.exe	explorer.exe
PID 3340 wrote to memory of 1296	3340	explorer.exe	explorer.exe
PID 3340 wrote to memory of 1296	3340	explorer.exe	explorer.exe
PID 3340 wrote to memory of 1296	3340	explorer.exe	explorer.exe
PID 3340 wrote to memory of 1296	3340	explorer.exe	explorer.exe
PID 3340 wrote to memory of 2104	3340	explorer.exe	diskperf.exe
PID 3340 wrote to memory of 2104	3340	explorer.exe	diskperf.exe
PID 3340 wrote to memory of 2104	3340	explorer.exe	diskperf.exe
PID 3340 wrote to memory of 2104	3340	explorer.exe	diskperf.exe
PID 3340 wrote to memory of 2104	3340	explorer.exe	diskperf.exe
PID 1296 wrote to memory of 3868	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 3868	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 3868	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 4036	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 4036	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 4036	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 1400	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 1400	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 1400	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 1808	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 1808	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 1808	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2776	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2776	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2776	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2548	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2548	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2548	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 3996	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 3996	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 3996	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2812	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2812	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2812	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2068	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2068	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2068	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2828	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2828	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2828	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 680	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 680	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 680	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2260	1296	explorer.exe	spoolsv.exe
PID 1296 wrote to memory of 2260	1296	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
"C:\Users\Admin\AppData\Local\Temp\dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe
"C:\Users\Admin\AppData\Local\Temp\dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3604

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3340

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6576

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6716

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6680

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6756

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6816

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6836

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6900

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6932

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7060

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7112

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7152

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2528

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3896

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2932

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6660

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2240

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6764

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6856

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6884

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6908

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7004

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4204

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3772

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2576

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7080

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4252

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3968

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7116

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6628

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2256

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:6740

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6848

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4364

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6876

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1056

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:6968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3508

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4232

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6664

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:2104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:3792

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:6980

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
c1ad5f2ef3adc0df53f806aae1b0429b

SHA1
2f132de302815f8eb4d5b0595d15c3728144d84a

SHA256
dd3bfcb4d3e094512c82dada8cd218c56febd914342e9063f533cdbfea0bca45

SHA512
7c0013dddb9bb01ea2bc0a72492e2df754c9a6ca9b08eb3a7171eb79a3e090107503947ded8dd92f9143719b2b9f3facabaab4bd39a7e5ab476ad5232c658d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
8e7900ac5ca1ba47c5e8f1296694a304

SHA1
8f730f392c3ffe5d81b3ae06d15b58bfa5092939

SHA256
772bcd4b13015080f8f5ee43d0d58e1f920333ce0e7187a5352150e6099954f5

SHA512
c87ba99b9b04e103c3a60eeb24875a4ad33c88ba248d4109bb04ebbff7f2eb0afb47bf067906620fb7060d43d23aa52dd36b58ead348029478ca22af8fe965cc

Download Submit
C:\Windows\System\explorer.exe
MD5
8e7900ac5ca1ba47c5e8f1296694a304

SHA1
8f730f392c3ffe5d81b3ae06d15b58bfa5092939

SHA256
772bcd4b13015080f8f5ee43d0d58e1f920333ce0e7187a5352150e6099954f5

SHA512
c87ba99b9b04e103c3a60eeb24875a4ad33c88ba248d4109bb04ebbff7f2eb0afb47bf067906620fb7060d43d23aa52dd36b58ead348029478ca22af8fe965cc

Download Submit
C:\Windows\System\explorer.exe
MD5
8e7900ac5ca1ba47c5e8f1296694a304

SHA1
8f730f392c3ffe5d81b3ae06d15b58bfa5092939

SHA256
772bcd4b13015080f8f5ee43d0d58e1f920333ce0e7187a5352150e6099954f5

SHA512
c87ba99b9b04e103c3a60eeb24875a4ad33c88ba248d4109bb04ebbff7f2eb0afb47bf067906620fb7060d43d23aa52dd36b58ead348029478ca22af8fe965cc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
\??\c:\windows\system\explorer.exe
MD5
8e7900ac5ca1ba47c5e8f1296694a304

SHA1
8f730f392c3ffe5d81b3ae06d15b58bfa5092939

SHA256
772bcd4b13015080f8f5ee43d0d58e1f920333ce0e7187a5352150e6099954f5

SHA512
c87ba99b9b04e103c3a60eeb24875a4ad33c88ba248d4109bb04ebbff7f2eb0afb47bf067906620fb7060d43d23aa52dd36b58ead348029478ca22af8fe965cc

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
1192016966bb7e9b256356724c158154

SHA1
1f0967edadf7e376e55be246f0e6545694dfb644

SHA256
46a170059fed68b6f4a87d35175e9ae1700ad19d84222ab827e26ece085b081c

SHA512
1a3f72df4817643b3d10a3fc8583b2d325153391f1bf9c52c2ffbb2735ffb1f4b268074bacd5509bc40e3c43ba5c6e390f3fc34b32122ff548a1b138b3a0549f

Download Submit
memory/680-175-0x0000000000000000-mapping.dmp

Download
memory/680-183-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/860-208-0x0000000000000000-mapping.dmp

Download
memory/860-216-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/900-220-0x0000000000000000-mapping.dmp

Download
memory/900-228-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/972-191-0x0000000000000000-mapping.dmp

Download
memory/972-195-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1052-187-0x0000000000000000-mapping.dmp

Download
memory/1052-193-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1056-218-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1056-210-0x0000000000000000-mapping.dmp

Download
memory/1280-271-0x0000000000000000-mapping.dmp

Download
memory/1280-277-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1296-131-0x0000000000403670-mapping.dmp

Download
memory/1400-154-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1400-149-0x0000000000000000-mapping.dmp

Download
memory/1460-269-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/1460-266-0x0000000000000000-mapping.dmp

Download
memory/1468-231-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1468-224-0x0000000000000000-mapping.dmp

Download
memory/1492-207-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1492-200-0x0000000000000000-mapping.dmp

Download
memory/1504-205-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1504-202-0x0000000000000000-mapping.dmp

Download
memory/1808-152-0x0000000000000000-mapping.dmp

Download
memory/1808-156-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1996-212-0x0000000000000000-mapping.dmp

Download
memory/1996-219-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/2068-168-0x0000000000000000-mapping.dmp

Download
memory/2068-173-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2104-136-0x0000000000411000-mapping.dmp

Download
memory/2196-279-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2196-273-0x0000000000000000-mapping.dmp

Download
memory/2216-261-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/2216-257-0x0000000000000000-mapping.dmp

Download
memory/2240-186-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2240-179-0x0000000000000000-mapping.dmp

Download
memory/2248-252-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2248-245-0x0000000000000000-mapping.dmp

Download
memory/2260-185-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2260-177-0x0000000000000000-mapping.dmp

Download
memory/2292-268-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2292-262-0x0000000000000000-mapping.dmp

Download
memory/2484-249-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2484-241-0x0000000000000000-mapping.dmp

Download
memory/2548-159-0x0000000000000000-mapping.dmp

Download
memory/2548-165-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2568-232-0x0000000000000000-mapping.dmp

Download
memory/2568-238-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/2676-184-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2676-181-0x0000000000000000-mapping.dmp

Download
memory/2776-163-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2776-157-0x0000000000000000-mapping.dmp

Download
memory/2812-172-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2812-166-0x0000000000000000-mapping.dmp

Download
memory/2828-170-0x0000000000000000-mapping.dmp

Download
memory/2828-174-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2848-240-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2848-236-0x0000000000000000-mapping.dmp

Download
memory/3016-239-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3016-234-0x0000000000000000-mapping.dmp

Download
memory/3152-194-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3152-189-0x0000000000000000-mapping.dmp

Download
memory/3156-251-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3156-243-0x0000000000000000-mapping.dmp

Download
memory/3176-114-0x0000000000630000-0x000000000077A000-memory.dmp

Filesize
1.3MB

Download
memory/3340-129-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3340-125-0x0000000000000000-mapping.dmp

Download
memory/3376-214-0x0000000000000000-mapping.dmp

Download
memory/3376-217-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3464-204-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/3464-196-0x0000000000000000-mapping.dmp

Download
memory/3568-255-0x0000000000000000-mapping.dmp

Download
memory/3568-260-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/3604-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3604-116-0x0000000000403670-mapping.dmp

Download
memory/3604-121-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3612-259-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3612-253-0x0000000000000000-mapping.dmp

Download
memory/3684-270-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3684-264-0x0000000000000000-mapping.dmp

Download
memory/3716-247-0x0000000000000000-mapping.dmp

Download
memory/3716-250-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3728-226-0x0000000000000000-mapping.dmp

Download
memory/3792-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3792-118-0x0000000000411000-mapping.dmp

Download
memory/3792-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3868-151-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3868-144-0x0000000000000000-mapping.dmp

Download
memory/3900-230-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3900-222-0x0000000000000000-mapping.dmp

Download
memory/3960-278-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3960-275-0x0000000000000000-mapping.dmp

Download
memory/3968-206-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3968-198-0x0000000000000000-mapping.dmp

Download
memory/3996-161-0x0000000000000000-mapping.dmp

Download
memory/3996-164-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4036-147-0x0000000000000000-mapping.dmp

Download
memory/4036-153-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/4104-286-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4104-280-0x0000000000000000-mapping.dmp

Download
memory/4128-282-0x0000000000000000-mapping.dmp

Download
memory/4128-287-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4152-284-0x0000000000000000-mapping.dmp

Download
memory/4152-288-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4188-289-0x0000000000000000-mapping.dmp

Download
memory/4188-297-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4212-299-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4212-291-0x0000000000000000-mapping.dmp

Download
memory/4236-300-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4236-293-0x0000000000000000-mapping.dmp

Download
memory/4260-298-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4260-295-0x0000000000000000-mapping.dmp

Download
memory/4300-301-0x0000000000000000-mapping.dmp

Download
memory/4300-307-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4324-308-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4324-303-0x0000000000000000-mapping.dmp

Download
memory/4348-309-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/4348-305-0x0000000000000000-mapping.dmp

Download
memory/4384-310-0x0000000000000000-mapping.dmp

Download
memory/4384-316-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4408-312-0x0000000000000000-mapping.dmp

Download
memory/4408-318-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4432-314-0x0000000000000000-mapping.dmp

Download
memory/4432-317-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4468-319-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads