warzonerat | ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30

Analysis

max time kernel
151s
max time network
139s
platform
windows7_x64
resource
win7v20210408
submitted
04-05-2021 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
Size

1.8MB
MD5

adeb4690226aef0af78119115ad3227b
SHA1

fab9eac25fd6b371fc236d4b6a38958d0ad06021
SHA256

ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30
SHA512

37e016c858bb77b7735c268aa314d9d87bb44ce98aa58076bd22cc174b271422d8aab0743238d94f7757683a0a9cfc3c3c59931baac8cc70e634b86bbea5fb48

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
908	explorer.exe
1608	explorer.exe
1296	spoolsv.exe
772	spoolsv.exe
112	spoolsv.exe
1360	spoolsv.exe
764	spoolsv.exe
2004	spoolsv.exe
988	spoolsv.exe
1952	spoolsv.exe
2008	spoolsv.exe
1584	spoolsv.exe
1728	spoolsv.exe
876	spoolsv.exe
1032	spoolsv.exe
1656	spoolsv.exe
1764	spoolsv.exe
336	spoolsv.exe
1404	spoolsv.exe
1472	spoolsv.exe
864	spoolsv.exe
852	spoolsv.exe
1900	spoolsv.exe
1104	spoolsv.exe
760	spoolsv.exe
292	spoolsv.exe
1904	spoolsv.exe
828	spoolsv.exe
1836	spoolsv.exe
952	spoolsv.exe
1172	spoolsv.exe
268	spoolsv.exe
1784	spoolsv.exe
1476	spoolsv.exe
564	spoolsv.exe
840	spoolsv.exe
1736	spoolsv.exe
608	spoolsv.exe
1712	spoolsv.exe
1804	spoolsv.exe
1160	spoolsv.exe
1148	spoolsv.exe
664	spoolsv.exe
616	spoolsv.exe
1064	spoolsv.exe
1668	spoolsv.exe
1344	spoolsv.exe
1976	spoolsv.exe
1144	spoolsv.exe
1652	spoolsv.exe
1028	spoolsv.exe
916	spoolsv.exe
1400	spoolsv.exe
1304	spoolsv.exe
908	spoolsv.exe
932	spoolsv.exe
328	spoolsv.exe
652	spoolsv.exe
1356	spoolsv.exe
960	spoolsv.exe
1268	spoolsv.exe
1808	spoolsv.exe
1552	spoolsv.exe
1640	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exeexplorer.exe

pid	process
1732	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
1732	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exead6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 62 IoCs

Processes:

ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1652 set thread context of 1732	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
PID 1652 set thread context of 1680	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	diskperf.exe
PID 908 set thread context of 1608	908	explorer.exe	explorer.exe
PID 908 set thread context of 1560	908	explorer.exe	diskperf.exe
PID 1296 set thread context of 3280	1296	spoolsv.exe	spoolsv.exe
PID 1296 set thread context of 3288	1296	spoolsv.exe	diskperf.exe
PID 772 set thread context of 3332	772	spoolsv.exe	spoolsv.exe
PID 772 set thread context of 3340	772	spoolsv.exe	diskperf.exe
PID 112 set thread context of 3360	112	spoolsv.exe	spoolsv.exe
PID 112 set thread context of 3368	112	spoolsv.exe	diskperf.exe
PID 1360 set thread context of 3392	1360	spoolsv.exe	spoolsv.exe
PID 1360 set thread context of 3400	1360	spoolsv.exe	diskperf.exe
PID 764 set thread context of 3424	764	spoolsv.exe	spoolsv.exe
PID 764 set thread context of 3432	764	spoolsv.exe	diskperf.exe
PID 2004 set thread context of 3452	2004	spoolsv.exe	spoolsv.exe
PID 2004 set thread context of 3460	2004	spoolsv.exe	diskperf.exe
PID 988 set thread context of 3488	988	spoolsv.exe	spoolsv.exe
PID 988 set thread context of 3496	988	spoolsv.exe	diskperf.exe
PID 1952 set thread context of 3524	1952	spoolsv.exe	spoolsv.exe
PID 1952 set thread context of 3532	1952	spoolsv.exe	diskperf.exe
PID 2008 set thread context of 3560	2008	spoolsv.exe	spoolsv.exe
PID 2008 set thread context of 3568	2008	spoolsv.exe	diskperf.exe
PID 1584 set thread context of 3588	1584	spoolsv.exe	spoolsv.exe
PID 1584 set thread context of 3596	1584	spoolsv.exe	diskperf.exe
PID 1728 set thread context of 3620	1728	spoolsv.exe	spoolsv.exe
PID 1728 set thread context of 3628	1728	spoolsv.exe	diskperf.exe
PID 876 set thread context of 3652	876	spoolsv.exe	spoolsv.exe
PID 876 set thread context of 3660	876	spoolsv.exe	diskperf.exe
PID 1032 set thread context of 3692	1032	spoolsv.exe	spoolsv.exe
PID 1032 set thread context of 3700	1032	spoolsv.exe	diskperf.exe
PID 1656 set thread context of 3720	1656	spoolsv.exe	spoolsv.exe
PID 1656 set thread context of 3728	1656	spoolsv.exe	diskperf.exe
PID 1764 set thread context of 3752	1764	spoolsv.exe	spoolsv.exe
PID 1764 set thread context of 3760	1764	spoolsv.exe	diskperf.exe
PID 336 set thread context of 3788	336	spoolsv.exe	spoolsv.exe
PID 336 set thread context of 3796	336	spoolsv.exe	diskperf.exe
PID 1404 set thread context of 3824	1404	spoolsv.exe	spoolsv.exe
PID 1404 set thread context of 3832	1404	spoolsv.exe	diskperf.exe
PID 1472 set thread context of 3852	1472	spoolsv.exe	spoolsv.exe
PID 1472 set thread context of 3872	1472	spoolsv.exe	diskperf.exe
PID 864 set thread context of 3888	864	spoolsv.exe	spoolsv.exe
PID 864 set thread context of 3896	864	spoolsv.exe	diskperf.exe
PID 852 set thread context of 3920	852	spoolsv.exe	spoolsv.exe
PID 852 set thread context of 3928	852	spoolsv.exe	diskperf.exe
PID 1900 set thread context of 3948	1900	spoolsv.exe	spoolsv.exe
PID 1900 set thread context of 3956	1900	spoolsv.exe	diskperf.exe
PID 1104 set thread context of 3964	1104	spoolsv.exe	spoolsv.exe
PID 1104 set thread context of 3972	1104	spoolsv.exe	diskperf.exe
PID 760 set thread context of 3996	760	spoolsv.exe	spoolsv.exe
PID 760 set thread context of 4004	760	spoolsv.exe	diskperf.exe
PID 292 set thread context of 4012	292	spoolsv.exe	spoolsv.exe
PID 292 set thread context of 4028	292	spoolsv.exe	diskperf.exe
PID 1904 set thread context of 4020	1904	spoolsv.exe	spoolsv.exe
PID 1904 set thread context of 4036	1904	spoolsv.exe	diskperf.exe
PID 828 set thread context of 4056	828	spoolsv.exe	spoolsv.exe
PID 828 set thread context of 4064	828	spoolsv.exe	diskperf.exe
PID 1836 set thread context of 4072	1836	spoolsv.exe	spoolsv.exe
PID 952 set thread context of 4080	952	spoolsv.exe	spoolsv.exe
PID 1836 set thread context of 4088	1836	spoolsv.exe	diskperf.exe
PID 952 set thread context of 1872	952	spoolsv.exe	diskperf.exe
PID 1172 set thread context of 1060	1172	spoolsv.exe	spoolsv.exe
PID 1172 set thread context of 3336	1172	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exeexplorer.exe

pid	process
1732	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1608 explorer.exe

pid	process
1608	explorer.exe

Suspicious use of SetWindowsHookEx 63 IoCs

Processes:

pid	process
1732	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
1732	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
1608	explorer.exe
3280	spoolsv.exe
3280	spoolsv.exe
3332	spoolsv.exe
3332	spoolsv.exe
3360	spoolsv.exe
3360	spoolsv.exe
3392	spoolsv.exe
3392	spoolsv.exe
3424	spoolsv.exe
3424	spoolsv.exe
3452	spoolsv.exe
3452	spoolsv.exe
3488	spoolsv.exe
3488	spoolsv.exe
3524	spoolsv.exe
3524	spoolsv.exe
3560	spoolsv.exe
3560	spoolsv.exe
3588	spoolsv.exe
3588	spoolsv.exe
3620	spoolsv.exe
3620	spoolsv.exe
3652	spoolsv.exe
3652	spoolsv.exe
3692	spoolsv.exe
3692	spoolsv.exe
3720	spoolsv.exe
3720	spoolsv.exe
3752	spoolsv.exe
3752	spoolsv.exe
3788	spoolsv.exe
3788	spoolsv.exe
3824	spoolsv.exe
3824	spoolsv.exe
3852	spoolsv.exe
3852	spoolsv.exe
3888	spoolsv.exe
3888	spoolsv.exe
3920	spoolsv.exe
3920	spoolsv.exe
3948	spoolsv.exe
3964	spoolsv.exe
3948	spoolsv.exe
3964	spoolsv.exe
3996	spoolsv.exe
3996	spoolsv.exe
4020	spoolsv.exe
4020	spoolsv.exe
4012	spoolsv.exe
4012	spoolsv.exe
4056	spoolsv.exe
4056	spoolsv.exe
4072	spoolsv.exe
4072	spoolsv.exe
4080	spoolsv.exe
4080	spoolsv.exe
1060	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exead6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1652 wrote to memory of 1732	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
PID 1652 wrote to memory of 1732	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
PID 1652 wrote to memory of 1732	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
PID 1652 wrote to memory of 1732	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
PID 1652 wrote to memory of 1732	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
PID 1652 wrote to memory of 1732	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
PID 1652 wrote to memory of 1732	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
PID 1652 wrote to memory of 1732	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
PID 1652 wrote to memory of 1732	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
PID 1652 wrote to memory of 1680	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	diskperf.exe
PID 1652 wrote to memory of 1680	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	diskperf.exe
PID 1652 wrote to memory of 1680	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	diskperf.exe
PID 1652 wrote to memory of 1680	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	diskperf.exe
PID 1652 wrote to memory of 1680	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	diskperf.exe
PID 1652 wrote to memory of 1680	1652	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	diskperf.exe
PID 1732 wrote to memory of 908	1732	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	explorer.exe
PID 1732 wrote to memory of 908	1732	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	explorer.exe
PID 1732 wrote to memory of 908	1732	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	explorer.exe
PID 1732 wrote to memory of 908	1732	ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe	explorer.exe
PID 908 wrote to memory of 1608	908	explorer.exe	explorer.exe
PID 908 wrote to memory of 1608	908	explorer.exe	explorer.exe
PID 908 wrote to memory of 1608	908	explorer.exe	explorer.exe
PID 908 wrote to memory of 1608	908	explorer.exe	explorer.exe
PID 908 wrote to memory of 1608	908	explorer.exe	explorer.exe
PID 908 wrote to memory of 1608	908	explorer.exe	explorer.exe
PID 908 wrote to memory of 1608	908	explorer.exe	explorer.exe
PID 908 wrote to memory of 1608	908	explorer.exe	explorer.exe
PID 908 wrote to memory of 1608	908	explorer.exe	explorer.exe
PID 908 wrote to memory of 1560	908	explorer.exe	diskperf.exe
PID 908 wrote to memory of 1560	908	explorer.exe	diskperf.exe
PID 908 wrote to memory of 1560	908	explorer.exe	diskperf.exe
PID 908 wrote to memory of 1560	908	explorer.exe	diskperf.exe
PID 908 wrote to memory of 1560	908	explorer.exe	diskperf.exe
PID 908 wrote to memory of 1560	908	explorer.exe	diskperf.exe
PID 1608 wrote to memory of 1296	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 1296	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 1296	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 1296	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 772	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 772	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 772	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 772	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 112	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 112	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 112	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 112	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 1360	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 1360	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 1360	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 1360	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 764	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 764	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 764	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 764	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 2004	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 2004	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 2004	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 2004	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 988	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 988	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 988	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 988	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 1952	1608	explorer.exe	spoolsv.exe
PID 1608 wrote to memory of 1952	1608	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
"C:\Users\Admin\AppData\Local\Temp\ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe
"C:\Users\Admin\AppData\Local\Temp\ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:908

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3280

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3324

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3332

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3352

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3360

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3380

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3392

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3412

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3424

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3452

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3472

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3488

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3508

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3524

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3552

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3560

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3580

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3588

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3608

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3620

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3640

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3652

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3692

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3712

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3720

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3740

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3752

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3788

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3808

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3824

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3844

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3852

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3864

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3908

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3920

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3948

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3984

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3964

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:760

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3996

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4056

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4072

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3284

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4080

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1060

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:268

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3396

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3484

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1956

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3516

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3528

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1240

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3576

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3588

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3604

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3680

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3780

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3696

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3736

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:664

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3840

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3884

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1668

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3856

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3968

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3952

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4044

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4084

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1028

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3348

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1468

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3492

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3488

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3540

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1724

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3656

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3708

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3816

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1348

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3880

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3904

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1580

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1252

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3968

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1552

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4080

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:560

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3388

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3528

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1316

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3540

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1080

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1252

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1616

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1176

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3316

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1680

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:1108

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
adeb4690226aef0af78119115ad3227b

SHA1
fab9eac25fd6b371fc236d4b6a38958d0ad06021

SHA256
ad6b307bca7d1bc6c440af15b4ef78e8d613b694f06d14c30ad02f7dbcc32d30

SHA512
37e016c858bb77b7735c268aa314d9d87bb44ce98aa58076bd22cc174b271422d8aab0743238d94f7757683a0a9cfc3c3c59931baac8cc70e634b86bbea5fb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
979614056c7c7088ed389d43556092e4

SHA1
dfd2d6e0ae8b1f0d98df9b731ce1f385c4989453

SHA256
3d72f07d3a5ec7f5f1df029666c4516eeb1dfcbdb2efb2dddfd53b01b10f529e

SHA512
fff83d7866dc5d1d4f693a6ecfcb8375d352e6ab23d4562220ff4ca30a988b77ef2a974044de5461a4728c1326979e08b8a92722e15eef74600bde6cfeac7a2a

Download Submit
C:\Windows\system\explorer.exe
MD5
979614056c7c7088ed389d43556092e4

SHA1
dfd2d6e0ae8b1f0d98df9b731ce1f385c4989453

SHA256
3d72f07d3a5ec7f5f1df029666c4516eeb1dfcbdb2efb2dddfd53b01b10f529e

SHA512
fff83d7866dc5d1d4f693a6ecfcb8375d352e6ab23d4562220ff4ca30a988b77ef2a974044de5461a4728c1326979e08b8a92722e15eef74600bde6cfeac7a2a

Download Submit
C:\Windows\system\explorer.exe
MD5
979614056c7c7088ed389d43556092e4

SHA1
dfd2d6e0ae8b1f0d98df9b731ce1f385c4989453

SHA256
3d72f07d3a5ec7f5f1df029666c4516eeb1dfcbdb2efb2dddfd53b01b10f529e

SHA512
fff83d7866dc5d1d4f693a6ecfcb8375d352e6ab23d4562220ff4ca30a988b77ef2a974044de5461a4728c1326979e08b8a92722e15eef74600bde6cfeac7a2a

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
C:\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\??\c:\windows\system\explorer.exe
MD5
979614056c7c7088ed389d43556092e4

SHA1
dfd2d6e0ae8b1f0d98df9b731ce1f385c4989453

SHA256
3d72f07d3a5ec7f5f1df029666c4516eeb1dfcbdb2efb2dddfd53b01b10f529e

SHA512
fff83d7866dc5d1d4f693a6ecfcb8375d352e6ab23d4562220ff4ca30a988b77ef2a974044de5461a4728c1326979e08b8a92722e15eef74600bde6cfeac7a2a

Download Submit
\Windows\system\explorer.exe
MD5
979614056c7c7088ed389d43556092e4

SHA1
dfd2d6e0ae8b1f0d98df9b731ce1f385c4989453

SHA256
3d72f07d3a5ec7f5f1df029666c4516eeb1dfcbdb2efb2dddfd53b01b10f529e

SHA512
fff83d7866dc5d1d4f693a6ecfcb8375d352e6ab23d4562220ff4ca30a988b77ef2a974044de5461a4728c1326979e08b8a92722e15eef74600bde6cfeac7a2a

Download Submit
\Windows\system\explorer.exe
MD5
979614056c7c7088ed389d43556092e4

SHA1
dfd2d6e0ae8b1f0d98df9b731ce1f385c4989453

SHA256
3d72f07d3a5ec7f5f1df029666c4516eeb1dfcbdb2efb2dddfd53b01b10f529e

SHA512
fff83d7866dc5d1d4f693a6ecfcb8375d352e6ab23d4562220ff4ca30a988b77ef2a974044de5461a4728c1326979e08b8a92722e15eef74600bde6cfeac7a2a

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
\Windows\system\spoolsv.exe
MD5
8cd7b80d6058a88763f311e6d070e7cb

SHA1
17ad8fd7c2c8e04d65fadbbc1072287b6d7072ad

SHA256
c1638fb169053da23a11c0bcdca42526f545b5273c2f5eca0f5c17c5488449d4

SHA512
738d11ddba05d6450c78ed63ba9ae29046d65e6b066c54ff75696519a3089d635e3898dc2605d06843652ad945436340768923cd8e5bf938a11cd5bd2e994d64

Download Submit
memory/112-107-0x0000000000000000-mapping.dmp

Download
memory/112-114-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/268-238-0x0000000000000000-mapping.dmp

Download
memory/268-252-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/292-232-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/292-219-0x0000000000000000-mapping.dmp

Download
memory/328-304-0x0000000000000000-mapping.dmp

Download
memory/336-189-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/336-184-0x0000000000000000-mapping.dmp

Download
memory/564-244-0x0000000000000000-mapping.dmp

Download
memory/564-255-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/608-250-0x0000000000000000-mapping.dmp

Download
memory/616-269-0x0000000000000000-mapping.dmp

Download
memory/652-305-0x0000000000000000-mapping.dmp

Download
memory/664-280-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/664-267-0x0000000000000000-mapping.dmp

Download
memory/760-217-0x0000000000000000-mapping.dmp

Download
memory/764-131-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/764-119-0x0000000000000000-mapping.dmp

Download
memory/772-102-0x0000000000000000-mapping.dmp

Download
memory/772-111-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/828-223-0x0000000000000000-mapping.dmp

Download
memory/840-246-0x0000000000000000-mapping.dmp

Download
memory/852-207-0x0000000000000000-mapping.dmp

Download
memory/852-214-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/864-204-0x0000000000000000-mapping.dmp

Download
memory/864-213-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/876-170-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/876-161-0x0000000000000000-mapping.dmp

Download
memory/908-302-0x0000000000000000-mapping.dmp

Download
memory/908-74-0x0000000000000000-mapping.dmp

Download
memory/908-309-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/908-78-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/916-292-0x0000000000000000-mapping.dmp

Download
memory/932-310-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/932-303-0x0000000000000000-mapping.dmp

Download
memory/952-227-0x0000000000000000-mapping.dmp

Download
memory/952-236-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/960-307-0x0000000000000000-mapping.dmp

Download
memory/960-314-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/988-130-0x0000000000000000-mapping.dmp

Download
memory/988-143-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1028-291-0x0000000000000000-mapping.dmp

Download
memory/1028-298-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1032-166-0x0000000000000000-mapping.dmp

Download
memory/1032-171-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1064-282-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1064-271-0x0000000000000000-mapping.dmp

Download
memory/1104-211-0x0000000000000000-mapping.dmp

Download
memory/1144-287-0x0000000000000000-mapping.dmp

Download
memory/1144-296-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1148-278-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1148-265-0x0000000000000000-mapping.dmp

Download
memory/1160-263-0x0000000000000000-mapping.dmp

Download
memory/1160-277-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1172-229-0x0000000000000000-mapping.dmp

Download
memory/1172-237-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1268-315-0x0000000000000000-mapping.dmp

Download
memory/1296-96-0x0000000000000000-mapping.dmp

Download
memory/1296-99-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1304-301-0x0000000000000000-mapping.dmp

Download
memory/1304-308-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1344-283-0x0000000000000000-mapping.dmp

Download
memory/1356-313-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1356-306-0x0000000000000000-mapping.dmp

Download
memory/1360-127-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1360-113-0x0000000000000000-mapping.dmp

Download
memory/1400-293-0x0000000000000000-mapping.dmp

Download
memory/1404-192-0x0000000000000000-mapping.dmp

Download
memory/1404-200-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1472-197-0x0000000000000000-mapping.dmp

Download
memory/1476-254-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1476-242-0x0000000000000000-mapping.dmp

Download
memory/1560-86-0x0000000000411000-mapping.dmp

Download
memory/1584-149-0x0000000000000000-mapping.dmp

Download
memory/1584-158-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1608-81-0x0000000000403670-mapping.dmp

Download
memory/1652-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1652-297-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1652-60-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1652-289-0x0000000000000000-mapping.dmp

Download
memory/1656-174-0x0000000000000000-mapping.dmp

Download
memory/1668-274-0x0000000000000000-mapping.dmp

Download
memory/1668-279-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1680-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1680-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1680-67-0x0000000000411000-mapping.dmp

Download
memory/1712-273-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1712-259-0x0000000000000000-mapping.dmp

Download
memory/1728-168-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1728-154-0x0000000000000000-mapping.dmp

Download
memory/1732-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1732-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1732-63-0x0000000000403670-mapping.dmp

Download
memory/1736-257-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1736-248-0x0000000000000000-mapping.dmp

Download
memory/1764-179-0x0000000000000000-mapping.dmp

Download
memory/1764-188-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1784-240-0x0000000000000000-mapping.dmp

Download
memory/1784-253-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1804-261-0x0000000000000000-mapping.dmp

Download
memory/1804-275-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1836-235-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1836-225-0x0000000000000000-mapping.dmp

Download
memory/1900-209-0x0000000000000000-mapping.dmp

Download
memory/1900-215-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1904-233-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1904-221-0x0000000000000000-mapping.dmp

Download
memory/1952-144-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1952-137-0x0000000000000000-mapping.dmp

Download
memory/1976-285-0x0000000000000000-mapping.dmp

Download
memory/1976-295-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2004-124-0x0000000000000000-mapping.dmp

Download
memory/2004-132-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2008-156-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2008-142-0x0000000000000000-mapping.dmp

Download