warzonerat | 9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339

Analysis

max time kernel
143s
max time network
12s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd27da88_by_Libranalysis.exe
Size

1.8MB
MD5

fd27da880372209151379289b0e57d11
SHA1

9d9236804d7a0574ebff234bec1bea519497c27f
SHA256

9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339
SHA512

d69b43d30cefdf0255c96763f1e53469ff3c0b1dada711b606959616e7af0608fd4cdc6e4b86b2cf174fb856e6ab01f089d6bf295217f6966c8b2576b34c338d

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1680	explorer.exe
572	explorer.exe
524	spoolsv.exe
1172	spoolsv.exe
744	spoolsv.exe
1108	spoolsv.exe
1392	spoolsv.exe
1624	spoolsv.exe
1140	spoolsv.exe
1596	spoolsv.exe
1672	spoolsv.exe
1944	spoolsv.exe
1008	spoolsv.exe
824	spoolsv.exe
1208	spoolsv.exe
1964	spoolsv.exe
1920	spoolsv.exe
2012	spoolsv.exe
1536	spoolsv.exe
1680	spoolsv.exe
1032	spoolsv.exe
1924	spoolsv.exe
1212	spoolsv.exe
896	spoolsv.exe
1092	spoolsv.exe
1300	spoolsv.exe
1316	spoolsv.exe
1716	spoolsv.exe
1404	spoolsv.exe
1976	spoolsv.exe
800	spoolsv.exe
968	spoolsv.exe
1164	spoolsv.exe
1704	spoolsv.exe
1496	spoolsv.exe
644	spoolsv.exe
1952	spoolsv.exe
1560	spoolsv.exe
2024	spoolsv.exe
1772	spoolsv.exe
2032	spoolsv.exe
2028	spoolsv.exe
1064	spoolsv.exe
568	spoolsv.exe
532	spoolsv.exe
1804	spoolsv.exe
1628	spoolsv.exe
1124	spoolsv.exe
1364	spoolsv.exe
1764	spoolsv.exe
1684	spoolsv.exe
836	spoolsv.exe
1472	spoolsv.exe
1940	spoolsv.exe
1388	spoolsv.exe
1280	spoolsv.exe
340	spoolsv.exe
748	spoolsv.exe
832	spoolsv.exe
1252	spoolsv.exe
652	spoolsv.exe
1668	spoolsv.exe
1724	spoolsv.exe
956	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

fd27da88_by_Libranalysis.exeexplorer.exe

pid	process
292	fd27da88_by_Libranalysis.exe
292	fd27da88_by_Libranalysis.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exefd27da88_by_Libranalysis.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	fd27da88_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 59 IoCs

Processes:

fd27da88_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1904 set thread context of 292	1904	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1904 set thread context of 1708	1904	fd27da88_by_Libranalysis.exe	diskperf.exe
PID 1680 set thread context of 572	1680	explorer.exe	explorer.exe
PID 1680 set thread context of 828	1680	explorer.exe	diskperf.exe
PID 524 set thread context of 3080	524	spoolsv.exe	spoolsv.exe
PID 524 set thread context of 3088	524	spoolsv.exe	diskperf.exe
PID 1172 set thread context of 3128	1172	spoolsv.exe	spoolsv.exe
PID 1172 set thread context of 3136	1172	spoolsv.exe	diskperf.exe
PID 744 set thread context of 3164	744	spoolsv.exe	spoolsv.exe
PID 744 set thread context of 3172	744	spoolsv.exe	diskperf.exe
PID 1108 set thread context of 3200	1108	spoolsv.exe	spoolsv.exe
PID 1108 set thread context of 3208	1108	spoolsv.exe	diskperf.exe
PID 1392 set thread context of 3236	1392	spoolsv.exe	spoolsv.exe
PID 1392 set thread context of 3244	1392	spoolsv.exe	diskperf.exe
PID 1624 set thread context of 3268	1624	spoolsv.exe	spoolsv.exe
PID 1624 set thread context of 3276	1624	spoolsv.exe	diskperf.exe
PID 1140 set thread context of 3304	1140	spoolsv.exe	spoolsv.exe
PID 1140 set thread context of 3312	1140	spoolsv.exe	diskperf.exe
PID 1596 set thread context of 3332	1596	spoolsv.exe	spoolsv.exe
PID 1596 set thread context of 3340	1596	spoolsv.exe	diskperf.exe
PID 1672 set thread context of 3352	1672	spoolsv.exe	spoolsv.exe
PID 1672 set thread context of 3360	1672	spoolsv.exe	diskperf.exe
PID 1944 set thread context of 3384	1944	spoolsv.exe	spoolsv.exe
PID 1944 set thread context of 3392	1944	spoolsv.exe	diskperf.exe
PID 1008 set thread context of 3416	1008	spoolsv.exe	spoolsv.exe
PID 1008 set thread context of 3424	1008	spoolsv.exe	diskperf.exe
PID 824 set thread context of 3448	824	spoolsv.exe	spoolsv.exe
PID 824 set thread context of 3456	824	spoolsv.exe	diskperf.exe
PID 1208 set thread context of 3484	1208	spoolsv.exe	spoolsv.exe
PID 1208 set thread context of 3492	1208	spoolsv.exe	diskperf.exe
PID 1964 set thread context of 3516	1964	spoolsv.exe	spoolsv.exe
PID 1964 set thread context of 3524	1964	spoolsv.exe	diskperf.exe
PID 1920 set thread context of 3552	1920	spoolsv.exe	spoolsv.exe
PID 1920 set thread context of 3560	1920	spoolsv.exe	diskperf.exe
PID 2012 set thread context of 3588	2012	spoolsv.exe	spoolsv.exe
PID 2012 set thread context of 3596	2012	spoolsv.exe	diskperf.exe
PID 1536 set thread context of 3620	1536	spoolsv.exe	spoolsv.exe
PID 1536 set thread context of 3640	1536	spoolsv.exe	diskperf.exe
PID 1680 set thread context of 3648	1680	spoolsv.exe	spoolsv.exe
PID 1680 set thread context of 3656	1680	spoolsv.exe	diskperf.exe
PID 1032 set thread context of 3680	1032	spoolsv.exe	spoolsv.exe
PID 1032 set thread context of 3700	1032	spoolsv.exe	diskperf.exe
PID 1924 set thread context of 3712	1924	spoolsv.exe	spoolsv.exe
PID 1924 set thread context of 3720	1924	spoolsv.exe	diskperf.exe
PID 1212 set thread context of 3740	1212	spoolsv.exe	spoolsv.exe
PID 1212 set thread context of 3748	1212	spoolsv.exe	diskperf.exe
PID 896 set thread context of 3768	896	spoolsv.exe	spoolsv.exe
PID 896 set thread context of 3776	896	spoolsv.exe	diskperf.exe
PID 1092 set thread context of 3796	1092	spoolsv.exe	spoolsv.exe
PID 1092 set thread context of 3808	1092	spoolsv.exe	diskperf.exe
PID 1300 set thread context of 3820	1300	spoolsv.exe	spoolsv.exe
PID 1300 set thread context of 3828	1300	spoolsv.exe	diskperf.exe
PID 1316 set thread context of 3848	1316	spoolsv.exe	spoolsv.exe
PID 1316 set thread context of 3856	1316	spoolsv.exe	diskperf.exe
PID 1716 set thread context of 3864	1716	spoolsv.exe	spoolsv.exe
PID 1716 set thread context of 3872	1716	spoolsv.exe	diskperf.exe
PID 1976 set thread context of 3892	1976	spoolsv.exe	spoolsv.exe
PID 1976 set thread context of 3912	1976	spoolsv.exe	diskperf.exe
PID 1404 set thread context of 3920	1404	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

fd27da88_by_Libranalysis.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	fd27da88_by_Libranalysis.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fd27da88_by_Libranalysis.exeexplorer.exe

pid	process
292	fd27da88_by_Libranalysis.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

572 explorer.exe

pid	process
572	explorer.exe

Suspicious use of SetWindowsHookEx 60 IoCs

Processes:

pid	process
292	fd27da88_by_Libranalysis.exe
292	fd27da88_by_Libranalysis.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
3080	spoolsv.exe
3080	spoolsv.exe
3128	spoolsv.exe
3128	spoolsv.exe
3164	spoolsv.exe
3164	spoolsv.exe
3200	spoolsv.exe
3200	spoolsv.exe
3236	spoolsv.exe
3236	spoolsv.exe
3268	spoolsv.exe
3268	spoolsv.exe
3304	spoolsv.exe
3304	spoolsv.exe
3332	spoolsv.exe
3332	spoolsv.exe
3352	spoolsv.exe
3352	spoolsv.exe
3384	spoolsv.exe
3384	spoolsv.exe
3416	spoolsv.exe
3416	spoolsv.exe
3448	spoolsv.exe
3448	spoolsv.exe
3484	spoolsv.exe
3484	spoolsv.exe
3516	spoolsv.exe
3516	spoolsv.exe
3552	spoolsv.exe
3552	spoolsv.exe
3588	spoolsv.exe
3588	spoolsv.exe
3620	spoolsv.exe
3620	spoolsv.exe
3648	spoolsv.exe
3648	spoolsv.exe
3680	spoolsv.exe
3680	spoolsv.exe
3712	spoolsv.exe
3712	spoolsv.exe
3740	spoolsv.exe
3740	spoolsv.exe
3768	spoolsv.exe
3768	spoolsv.exe
3796	spoolsv.exe
3796	spoolsv.exe
3820	spoolsv.exe
3820	spoolsv.exe
3864	spoolsv.exe
3864	spoolsv.exe
3848	spoolsv.exe
3848	spoolsv.exe
3892	spoolsv.exe
3892	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fd27da88_by_Libranalysis.exefd27da88_by_Libranalysis.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1904 wrote to memory of 292	1904	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1904 wrote to memory of 292	1904	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1904 wrote to memory of 292	1904	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1904 wrote to memory of 292	1904	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1904 wrote to memory of 292	1904	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1904 wrote to memory of 292	1904	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1904 wrote to memory of 292	1904	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1904 wrote to memory of 292	1904	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1904 wrote to memory of 292	1904	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1904 wrote to memory of 1708	1904	fd27da88_by_Libranalysis.exe	diskperf.exe
PID 1904 wrote to memory of 1708	1904	fd27da88_by_Libranalysis.exe	diskperf.exe
PID 1904 wrote to memory of 1708	1904	fd27da88_by_Libranalysis.exe	diskperf.exe
PID 1904 wrote to memory of 1708	1904	fd27da88_by_Libranalysis.exe	diskperf.exe
PID 1904 wrote to memory of 1708	1904	fd27da88_by_Libranalysis.exe	diskperf.exe
PID 1904 wrote to memory of 1708	1904	fd27da88_by_Libranalysis.exe	diskperf.exe
PID 292 wrote to memory of 1680	292	fd27da88_by_Libranalysis.exe	explorer.exe
PID 292 wrote to memory of 1680	292	fd27da88_by_Libranalysis.exe	explorer.exe
PID 292 wrote to memory of 1680	292	fd27da88_by_Libranalysis.exe	explorer.exe
PID 292 wrote to memory of 1680	292	fd27da88_by_Libranalysis.exe	explorer.exe
PID 1680 wrote to memory of 572	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 572	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 572	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 572	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 572	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 572	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 572	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 572	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 572	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 828	1680	explorer.exe	diskperf.exe
PID 1680 wrote to memory of 828	1680	explorer.exe	diskperf.exe
PID 1680 wrote to memory of 828	1680	explorer.exe	diskperf.exe
PID 1680 wrote to memory of 828	1680	explorer.exe	diskperf.exe
PID 1680 wrote to memory of 828	1680	explorer.exe	diskperf.exe
PID 1680 wrote to memory of 828	1680	explorer.exe	diskperf.exe
PID 572 wrote to memory of 524	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 524	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 524	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 524	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1172	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1172	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1172	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1172	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 744	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 744	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 744	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 744	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1108	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1108	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1108	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1108	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1392	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1392	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1392	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1392	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1624	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1624	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1624	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1624	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1140	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1140	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1140	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1140	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1596	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1596	572	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\fd27da88_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\fd27da88_by_Libranalysis.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\fd27da88_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\fd27da88_by_Libranalysis.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:292

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1680

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3080

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3112

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3128

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3148

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3164

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3192

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3200

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3220

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3236

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3256

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3268

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3288

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3304

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3324

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3332

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3352

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3384

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3408

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3416

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3436

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3448

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3472

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3484

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3504

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3516

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3544

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3552

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3572

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3588

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3608

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3620

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3648

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3668

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3680

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3692

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3712

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3732

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3740

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3760

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3768

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3788

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3796

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3820

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3840

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3848

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3884

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3864

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3920

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3892

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3904

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:800

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3940

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3956

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4000

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4028

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4064

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4036

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1836

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:344

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4080

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4092

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3168

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3296

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3240

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1188

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1064

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3336

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3404

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:396

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1628

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3532

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3580

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3552

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3676

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3616

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3664

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3684

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3728

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3740

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3800

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3784

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3880

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3864

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:848

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:912

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1760

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:652

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4040

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4052

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3168

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:948

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3096

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3348

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:808

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:688

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:816

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3384

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1676

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1196

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3688

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:536

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3796

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:828

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1708

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:672

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
fd27da880372209151379289b0e57d11

SHA1
9d9236804d7a0574ebff234bec1bea519497c27f

SHA256
9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339

SHA512
d69b43d30cefdf0255c96763f1e53469ff3c0b1dada711b606959616e7af0608fd4cdc6e4b86b2cf174fb856e6ab01f089d6bf295217f6966c8b2576b34c338d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
7592e955470f7e34b4855390baa21deb

SHA1
3526d7d2365ca81b2c6fe41908c172d92dd138b1

SHA256
d85b0df1faeb6279790355633b18c8f2e2d2d3577ad67d773b0e8fe1b7ff11c1

SHA512
9b7c3512668fcea9e936a2991ff996b07f1ab866a274c7652637e4dc07e56b7e5bb5154d33b932d47131763cf6b59b937222222fcdb4341e8d6796e067dcf4ea

Download Submit
C:\Windows\system\explorer.exe
MD5
7592e955470f7e34b4855390baa21deb

SHA1
3526d7d2365ca81b2c6fe41908c172d92dd138b1

SHA256
d85b0df1faeb6279790355633b18c8f2e2d2d3577ad67d773b0e8fe1b7ff11c1

SHA512
9b7c3512668fcea9e936a2991ff996b07f1ab866a274c7652637e4dc07e56b7e5bb5154d33b932d47131763cf6b59b937222222fcdb4341e8d6796e067dcf4ea

Download Submit
C:\Windows\system\explorer.exe
MD5
7592e955470f7e34b4855390baa21deb

SHA1
3526d7d2365ca81b2c6fe41908c172d92dd138b1

SHA256
d85b0df1faeb6279790355633b18c8f2e2d2d3577ad67d773b0e8fe1b7ff11c1

SHA512
9b7c3512668fcea9e936a2991ff996b07f1ab866a274c7652637e4dc07e56b7e5bb5154d33b932d47131763cf6b59b937222222fcdb4341e8d6796e067dcf4ea

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\??\c:\windows\system\explorer.exe
MD5
7592e955470f7e34b4855390baa21deb

SHA1
3526d7d2365ca81b2c6fe41908c172d92dd138b1

SHA256
d85b0df1faeb6279790355633b18c8f2e2d2d3577ad67d773b0e8fe1b7ff11c1

SHA512
9b7c3512668fcea9e936a2991ff996b07f1ab866a274c7652637e4dc07e56b7e5bb5154d33b932d47131763cf6b59b937222222fcdb4341e8d6796e067dcf4ea

Download Submit
\Windows\system\explorer.exe
MD5
7592e955470f7e34b4855390baa21deb

SHA1
3526d7d2365ca81b2c6fe41908c172d92dd138b1

SHA256
d85b0df1faeb6279790355633b18c8f2e2d2d3577ad67d773b0e8fe1b7ff11c1

SHA512
9b7c3512668fcea9e936a2991ff996b07f1ab866a274c7652637e4dc07e56b7e5bb5154d33b932d47131763cf6b59b937222222fcdb4341e8d6796e067dcf4ea

Download Submit
\Windows\system\explorer.exe
MD5
7592e955470f7e34b4855390baa21deb

SHA1
3526d7d2365ca81b2c6fe41908c172d92dd138b1

SHA256
d85b0df1faeb6279790355633b18c8f2e2d2d3577ad67d773b0e8fe1b7ff11c1

SHA512
9b7c3512668fcea9e936a2991ff996b07f1ab866a274c7652637e4dc07e56b7e5bb5154d33b932d47131763cf6b59b937222222fcdb4341e8d6796e067dcf4ea

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
\Windows\system\spoolsv.exe
MD5
d98a1ffbcba4c62c682d7376e65d6d0b

SHA1
32d51f5afd62e9a9774487f63030e959fa1bb063

SHA256
686dc55dcc3b48847f6685b710426750e52ae68440dc7f0b424cf04cbe1e0c78

SHA512
39be98ab803b26517c6a32d94c36e2ea98727a9af139e87d3c100f5314b68f48ecf83e3e5599dba9139ad62a5d25dca4b74bc0e7f0f9e09876d48c46f2d4569e

Download Submit
memory/292-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/292-62-0x0000000000403670-mapping.dmp

Download
memory/292-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/340-305-0x0000000000000000-mapping.dmp

Download
memory/524-95-0x0000000000000000-mapping.dmp

Download
memory/524-103-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/532-286-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/532-274-0x0000000000000000-mapping.dmp

Download
memory/568-272-0x0000000000000000-mapping.dmp

Download
memory/568-285-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/572-80-0x0000000000403670-mapping.dmp

Download
memory/644-244-0x0000000000000000-mapping.dmp

Download
memory/644-251-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/652-309-0x0000000000000000-mapping.dmp

Download
memory/744-115-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/744-107-0x0000000000000000-mapping.dmp

Download
memory/748-312-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/748-306-0x0000000000000000-mapping.dmp

Download
memory/800-234-0x0000000000000000-mapping.dmp

Download
memory/800-246-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/824-170-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/824-161-0x0000000000000000-mapping.dmp

Download
memory/828-86-0x0000000000411000-mapping.dmp

Download
memory/832-313-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/832-307-0x0000000000000000-mapping.dmp

Download
memory/836-300-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/836-294-0x0000000000000000-mapping.dmp

Download
memory/896-211-0x0000000000000000-mapping.dmp

Download
memory/968-236-0x0000000000000000-mapping.dmp

Download
memory/1008-158-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1008-154-0x0000000000000000-mapping.dmp

Download
memory/1032-210-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1032-203-0x0000000000000000-mapping.dmp

Download
memory/1064-284-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1064-269-0x0000000000000000-mapping.dmp

Download
memory/1092-228-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1092-215-0x0000000000000000-mapping.dmp

Download
memory/1108-112-0x0000000000000000-mapping.dmp

Download
memory/1108-116-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1124-280-0x0000000000000000-mapping.dmp

Download
memory/1124-289-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1140-144-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1140-129-0x0000000000000000-mapping.dmp

Download
memory/1164-248-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1164-238-0x0000000000000000-mapping.dmp

Download
memory/1172-100-0x0000000000000000-mapping.dmp

Download
memory/1172-104-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1208-173-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1208-166-0x0000000000000000-mapping.dmp

Download
memory/1212-208-0x0000000000000000-mapping.dmp

Download
memory/1212-213-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1252-308-0x0000000000000000-mapping.dmp

Download
memory/1280-304-0x0000000000000000-mapping.dmp

Download
memory/1300-229-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1300-217-0x0000000000000000-mapping.dmp

Download
memory/1316-231-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1316-219-0x0000000000000000-mapping.dmp

Download
memory/1364-290-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1364-282-0x0000000000000000-mapping.dmp

Download
memory/1388-297-0x0000000000000000-mapping.dmp

Download
memory/1392-130-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1392-119-0x0000000000000000-mapping.dmp

Download
memory/1404-223-0x0000000000000000-mapping.dmp

Download
memory/1472-301-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1472-295-0x0000000000000000-mapping.dmp

Download
memory/1496-242-0x0000000000000000-mapping.dmp

Download
memory/1536-191-0x0000000000000000-mapping.dmp

Download
memory/1536-199-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1560-254-0x0000000000000000-mapping.dmp

Download
memory/1560-265-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1596-136-0x0000000000000000-mapping.dmp

Download
memory/1596-146-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1624-124-0x0000000000000000-mapping.dmp

Download
memory/1624-131-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1628-288-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1628-278-0x0000000000000000-mapping.dmp

Download
memory/1672-141-0x0000000000000000-mapping.dmp

Download
memory/1672-145-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1680-77-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1680-196-0x0000000000000000-mapping.dmp

Download
memory/1680-72-0x0000000000000000-mapping.dmp

Download
memory/1680-200-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1684-293-0x0000000000000000-mapping.dmp

Download
memory/1684-299-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1704-240-0x0000000000000000-mapping.dmp

Download
memory/1704-249-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1708-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1708-66-0x0000000000411000-mapping.dmp

Download
memory/1708-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1716-221-0x0000000000000000-mapping.dmp

Download
memory/1764-298-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1764-291-0x0000000000000000-mapping.dmp

Download
memory/1772-258-0x0000000000000000-mapping.dmp

Download
memory/1804-276-0x0000000000000000-mapping.dmp

Download
memory/1904-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1904-59-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1920-178-0x0000000000000000-mapping.dmp

Download
memory/1924-212-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1924-206-0x0000000000000000-mapping.dmp

Download
memory/1940-296-0x0000000000000000-mapping.dmp

Download
memory/1944-149-0x0000000000000000-mapping.dmp

Download
memory/1944-157-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1952-264-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1952-252-0x0000000000000000-mapping.dmp

Download
memory/1964-172-0x0000000000000000-mapping.dmp

Download
memory/1976-230-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1976-225-0x0000000000000000-mapping.dmp

Download
memory/2012-183-0x0000000000000000-mapping.dmp

Download
memory/2024-256-0x0000000000000000-mapping.dmp

Download
memory/2024-266-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2028-262-0x0000000000000000-mapping.dmp

Download
memory/2028-270-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2032-260-0x0000000000000000-mapping.dmp

Download
memory/2032-268-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads