warzonerat | 9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339

Analysis

max time kernel
150s
max time network
113s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd27da88_by_Libranalysis.exe
Size

1.8MB
MD5

fd27da880372209151379289b0e57d11
SHA1

9d9236804d7a0574ebff234bec1bea519497c27f
SHA256

9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339
SHA512

d69b43d30cefdf0255c96763f1e53469ff3c0b1dada711b606959616e7af0608fd4cdc6e4b86b2cf174fb856e6ab01f089d6bf295217f6966c8b2576b34c338d

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3592	explorer.exe
3440	explorer.exe
296	spoolsv.exe
3848	spoolsv.exe
3832	spoolsv.exe
1532	spoolsv.exe
2792	spoolsv.exe
2368	spoolsv.exe
2488	spoolsv.exe
1152	spoolsv.exe
2804	spoolsv.exe
3752	spoolsv.exe
2856	spoolsv.exe
2316	spoolsv.exe
3676	spoolsv.exe
2256	spoolsv.exe
1804	spoolsv.exe
2568	spoolsv.exe
776	spoolsv.exe
1756	spoolsv.exe
1404	spoolsv.exe
3800	spoolsv.exe
2972	spoolsv.exe
1452	spoolsv.exe
2912	spoolsv.exe
4088	spoolsv.exe
2224	spoolsv.exe
2144	spoolsv.exe
2104	spoolsv.exe
3492	spoolsv.exe
200	spoolsv.exe
2484	spoolsv.exe
1524	spoolsv.exe
3908	spoolsv.exe
2328	spoolsv.exe
2860	spoolsv.exe
3184	spoolsv.exe
3964	spoolsv.exe
4076	spoolsv.exe
1496	spoolsv.exe
3992	spoolsv.exe
2756	spoolsv.exe
724	spoolsv.exe
2312	spoolsv.exe
1528	spoolsv.exe
3368	spoolsv.exe
188	spoolsv.exe
1324	spoolsv.exe
4008	spoolsv.exe
2152	spoolsv.exe
4116	spoolsv.exe
4152	spoolsv.exe
4176	spoolsv.exe
4200	spoolsv.exe
4224	spoolsv.exe
4264	spoolsv.exe
4288	spoolsv.exe
4312	spoolsv.exe
4348	spoolsv.exe
4372	spoolsv.exe
4396	spoolsv.exe
4416	spoolsv.exe
4436	spoolsv.exe
4464	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 47 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exefd27da88_by_Libranalysis.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	fd27da88_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

fd27da88_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1016 set thread context of 3564	1016	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 3592 set thread context of 3440	3592	explorer.exe	explorer.exe
PID 3592 set thread context of 2404	3592	explorer.exe	diskperf.exe
PID 296 set thread context of 6704	296	spoolsv.exe	spoolsv.exe
PID 296 set thread context of 6732	296	spoolsv.exe	diskperf.exe
PID 3848 set thread context of 6808	3848	spoolsv.exe	spoolsv.exe
PID 3848 set thread context of 6824	3848	spoolsv.exe	diskperf.exe
PID 3832 set thread context of 6892	3832	spoolsv.exe	spoolsv.exe
PID 1532 set thread context of 6900	1532	spoolsv.exe	spoolsv.exe
PID 3832 set thread context of 6924	3832	spoolsv.exe	diskperf.exe
PID 1532 set thread context of 6956	1532	spoolsv.exe	diskperf.exe
PID 2792 set thread context of 6980	2792	spoolsv.exe	spoolsv.exe
PID 2792 set thread context of 7024	2792	spoolsv.exe	diskperf.exe
PID 2368 set thread context of 7076	2368	spoolsv.exe	spoolsv.exe
PID 2488 set thread context of 7100	2488	spoolsv.exe	spoolsv.exe
PID 1152 set thread context of 7108	1152	spoolsv.exe	spoolsv.exe
PID 2368 set thread context of 7124	2368	spoolsv.exe	diskperf.exe
PID 1152 set thread context of 1172	1152	spoolsv.exe	diskperf.exe
PID 2804 set thread context of 6740	2804	spoolsv.exe	spoolsv.exe
PID 2488 set thread context of 368	2488	spoolsv.exe	diskperf.exe
PID 2804 set thread context of 6720	2804	spoolsv.exe	diskperf.exe
PID 3752 set thread context of 6840	3752	spoolsv.exe	spoolsv.exe
PID 3752 set thread context of 6852	3752	spoolsv.exe	diskperf.exe
PID 2856 set thread context of 6820	2856	spoolsv.exe	spoolsv.exe
PID 2856 set thread context of 6936	2856	spoolsv.exe	diskperf.exe
PID 2316 set thread context of 6988	2316	spoolsv.exe	spoolsv.exe
PID 2316 set thread context of 6992	2316	spoolsv.exe	diskperf.exe
PID 3676 set thread context of 7000	3676	spoolsv.exe	spoolsv.exe
PID 3676 set thread context of 6932	3676	spoolsv.exe	diskperf.exe
PID 2256 set thread context of 7072	2256	spoolsv.exe	spoolsv.exe
PID 2256 set thread context of 6984	2256	spoolsv.exe	diskperf.exe
PID 1804 set thread context of 7136	1804	spoolsv.exe	spoolsv.exe
PID 1804 set thread context of 7152	1804	spoolsv.exe	diskperf.exe
PID 2568 set thread context of 3640	2568	spoolsv.exe	spoolsv.exe
PID 2568 set thread context of 940	2568	spoolsv.exe	diskperf.exe
PID 776 set thread context of 7104	776	spoolsv.exe	spoolsv.exe
PID 776 set thread context of 644	776	spoolsv.exe	diskperf.exe
PID 1756 set thread context of 4016	1756	spoolsv.exe	spoolsv.exe
PID 1756 set thread context of 6912	1756	spoolsv.exe	diskperf.exe
PID 1404 set thread context of 6964	1404	spoolsv.exe	svchost.exe
PID 1404 set thread context of 2280	1404	spoolsv.exe	diskperf.exe
PID 3800 set thread context of 6948	3800	spoolsv.exe	spoolsv.exe
PID 3800 set thread context of 3144	3800	spoolsv.exe	diskperf.exe
PID 2972 set thread context of 4040	2972	spoolsv.exe	spoolsv.exe
PID 2972 set thread context of 6748	2972	spoolsv.exe	diskperf.exe
PID 1452 set thread context of 6744	1452	spoolsv.exe	spoolsv.exe
PID 1452 set thread context of 4448	1452	spoolsv.exe	diskperf.exe
PID 2912 set thread context of 3836	2912	spoolsv.exe	svchost.exe
PID 2912 set thread context of 6988	2912	spoolsv.exe	diskperf.exe
PID 4088 set thread context of 4520	4088	spoolsv.exe	spoolsv.exe
PID 2224 set thread context of 6716	2224	spoolsv.exe	spoolsv.exe
PID 2224 set thread context of 4556	2224	spoolsv.exe	diskperf.exe
PID 2144 set thread context of 4044	2144	spoolsv.exe	spoolsv.exe
PID 2144 set thread context of 4588	2144	spoolsv.exe	diskperf.exe
PID 2104 set thread context of 912	2104	spoolsv.exe	svchost.exe
PID 2104 set thread context of 3156	2104	spoolsv.exe	diskperf.exe
PID 3492 set thread context of 584	3492	spoolsv.exe	spoolsv.exe
PID 200 set thread context of 1240	200	spoolsv.exe	spoolsv.exe
PID 200 set thread context of 4636	200	spoolsv.exe	diskperf.exe
PID 2484 set thread context of 4664	2484	spoolsv.exe	spoolsv.exe
PID 2484 set thread context of 1548	2484	spoolsv.exe	diskperf.exe
PID 1524 set thread context of 1328	1524	spoolsv.exe	spoolsv.exe
PID 1524 set thread context of 1836	1524	spoolsv.exe	diskperf.exe
PID 3908 set thread context of 1888	3908	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

spoolsv.exefd27da88_by_Libranalysis.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	fd27da88_by_Libranalysis.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fd27da88_by_Libranalysis.exeexplorer.exe

pid	process
3564	fd27da88_by_Libranalysis.exe
3564	fd27da88_by_Libranalysis.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3440 explorer.exe

pid	process
3440	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

fd27da88_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exespoolsv.exe

pid	process
3564	fd27da88_by_Libranalysis.exe
3564	fd27da88_by_Libranalysis.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
3440	explorer.exe
6704	spoolsv.exe
6704	spoolsv.exe
6808	spoolsv.exe
6808	spoolsv.exe
6892	spoolsv.exe
6900	spoolsv.exe
6892	spoolsv.exe
6900	spoolsv.exe
6980	spoolsv.exe
6980	spoolsv.exe
7076	spoolsv.exe
7108	spoolsv.exe
7076	spoolsv.exe
7100	spoolsv.exe
7100	spoolsv.exe
7108	spoolsv.exe
6740	spoolsv.exe
6740	spoolsv.exe
6840	spoolsv.exe
6840	spoolsv.exe
6820	spoolsv.exe
6820	spoolsv.exe
6988	spoolsv.exe
6988	spoolsv.exe
7000	spoolsv.exe
7000	spoolsv.exe
7072	spoolsv.exe
7072	spoolsv.exe
7136	spoolsv.exe
7136	spoolsv.exe
3640	spoolsv.exe
3640	spoolsv.exe
7104	spoolsv.exe
7104	spoolsv.exe
4016	spoolsv.exe
4016	spoolsv.exe
6964	svchost.exe
6964	svchost.exe
6948	spoolsv.exe
6948	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
6744	spoolsv.exe
6744	spoolsv.exe
3836	svchost.exe
3836	svchost.exe
4520	spoolsv.exe
4520	spoolsv.exe
6716	spoolsv.exe
6716	spoolsv.exe
4044	spoolsv.exe
4044	spoolsv.exe
912	svchost.exe
912	svchost.exe
584	spoolsv.exe
584	spoolsv.exe
1240	spoolsv.exe
1240	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fd27da88_by_Libranalysis.exefd27da88_by_Libranalysis.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1016 wrote to memory of 3564	1016	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1016 wrote to memory of 3564	1016	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1016 wrote to memory of 3564	1016	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1016 wrote to memory of 3564	1016	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1016 wrote to memory of 3564	1016	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1016 wrote to memory of 3564	1016	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1016 wrote to memory of 3564	1016	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1016 wrote to memory of 3564	1016	fd27da88_by_Libranalysis.exe	fd27da88_by_Libranalysis.exe
PID 1016 wrote to memory of 3820	1016	fd27da88_by_Libranalysis.exe	diskperf.exe
PID 1016 wrote to memory of 3820	1016	fd27da88_by_Libranalysis.exe	diskperf.exe
PID 1016 wrote to memory of 3820	1016	fd27da88_by_Libranalysis.exe	diskperf.exe
PID 3564 wrote to memory of 3592	3564	fd27da88_by_Libranalysis.exe	explorer.exe
PID 3564 wrote to memory of 3592	3564	fd27da88_by_Libranalysis.exe	explorer.exe
PID 3564 wrote to memory of 3592	3564	fd27da88_by_Libranalysis.exe	explorer.exe
PID 3592 wrote to memory of 3440	3592	explorer.exe	explorer.exe
PID 3592 wrote to memory of 3440	3592	explorer.exe	explorer.exe
PID 3592 wrote to memory of 3440	3592	explorer.exe	explorer.exe
PID 3592 wrote to memory of 3440	3592	explorer.exe	explorer.exe
PID 3592 wrote to memory of 3440	3592	explorer.exe	explorer.exe
PID 3592 wrote to memory of 3440	3592	explorer.exe	explorer.exe
PID 3592 wrote to memory of 3440	3592	explorer.exe	explorer.exe
PID 3592 wrote to memory of 3440	3592	explorer.exe	explorer.exe
PID 3592 wrote to memory of 2404	3592	explorer.exe	diskperf.exe
PID 3592 wrote to memory of 2404	3592	explorer.exe	diskperf.exe
PID 3592 wrote to memory of 2404	3592	explorer.exe	diskperf.exe
PID 3592 wrote to memory of 2404	3592	explorer.exe	diskperf.exe
PID 3592 wrote to memory of 2404	3592	explorer.exe	diskperf.exe
PID 3440 wrote to memory of 296	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 296	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 296	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 3848	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 3848	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 3848	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 3832	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 3832	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 3832	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 1532	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 1532	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 1532	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2792	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2792	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2792	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2368	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2368	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2368	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2488	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2488	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2488	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 1152	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 1152	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 1152	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2804	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2804	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2804	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 3752	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 3752	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 3752	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2856	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2856	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2856	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2316	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2316	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 2316	3440	explorer.exe	spoolsv.exe
PID 3440 wrote to memory of 3676	3440	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\fd27da88_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\fd27da88_by_Libranalysis.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\fd27da88_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\fd27da88_by_Libranalysis.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3592

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6704

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6808

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6892

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7008

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6900

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2488

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7108

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3752

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2856

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2316

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7000

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6896

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7072

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7136

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2356

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3640

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1216

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7104

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3168

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6972

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:6964

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7032

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6948

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4040

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4428

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6744

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6920

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3836

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
- Suspicious use of SetWindowsHookEx
PID:6964

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4520

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6716

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4572

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4044

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:904

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:912

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:640

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:584

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
- Suspicious use of SetWindowsHookEx
PID:3836

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1240

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7136

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4664

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4680

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1328

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
- Suspicious use of SetWindowsHookEx
PID:912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3092

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2580

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4632

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4828

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4848

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4716

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:196

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2832

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1032

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2740

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4696

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1312

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1328

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4044

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3996

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:588

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:196

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:584

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5104

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2192

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4148

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4232

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4256

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3828

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3996

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1408

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4424

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2748

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3716

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3180

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2212

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5248

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5268

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1968

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4136

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2868

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4156

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3592

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5348

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5364

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2140

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4216

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5400

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4168

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4268

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5352

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4292

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5384

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4328

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4216

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5540

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4168

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5556

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:2404

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:3820

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:6944

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
fd27da880372209151379289b0e57d11

SHA1
9d9236804d7a0574ebff234bec1bea519497c27f

SHA256
9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339

SHA512
d69b43d30cefdf0255c96763f1e53469ff3c0b1dada711b606959616e7af0608fd4cdc6e4b86b2cf174fb856e6ab01f089d6bf295217f6966c8b2576b34c338d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
7f55faca679925a1b083d6bab8f3d521

SHA1
7e93733842ae88a1193c219b58b338a5d6172feb

SHA256
1e11ca3dd080904f7a6f4254f699bb23df26bd6f8c2ccec522262d841cf85530

SHA512
bab941e2c4e591d468b2311ccc76c04cfedb53a8fd2ffa663abe3e6300eaa5e2383098516a087ab1c98fda2de0f0bc853d125097d86ef29053fc401f3a0737fc

Download Submit
C:\Windows\System\explorer.exe
MD5
7f55faca679925a1b083d6bab8f3d521

SHA1
7e93733842ae88a1193c219b58b338a5d6172feb

SHA256
1e11ca3dd080904f7a6f4254f699bb23df26bd6f8c2ccec522262d841cf85530

SHA512
bab941e2c4e591d468b2311ccc76c04cfedb53a8fd2ffa663abe3e6300eaa5e2383098516a087ab1c98fda2de0f0bc853d125097d86ef29053fc401f3a0737fc

Download Submit
C:\Windows\System\explorer.exe
MD5
7f55faca679925a1b083d6bab8f3d521

SHA1
7e93733842ae88a1193c219b58b338a5d6172feb

SHA256
1e11ca3dd080904f7a6f4254f699bb23df26bd6f8c2ccec522262d841cf85530

SHA512
bab941e2c4e591d468b2311ccc76c04cfedb53a8fd2ffa663abe3e6300eaa5e2383098516a087ab1c98fda2de0f0bc853d125097d86ef29053fc401f3a0737fc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
C:\Windows\System\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
\??\c:\windows\system\explorer.exe
MD5
7f55faca679925a1b083d6bab8f3d521

SHA1
7e93733842ae88a1193c219b58b338a5d6172feb

SHA256
1e11ca3dd080904f7a6f4254f699bb23df26bd6f8c2ccec522262d841cf85530

SHA512
bab941e2c4e591d468b2311ccc76c04cfedb53a8fd2ffa663abe3e6300eaa5e2383098516a087ab1c98fda2de0f0bc853d125097d86ef29053fc401f3a0737fc

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
26e9448faa2ab2bcab30fd0654f176b1

SHA1
292f80c09f1c918e01455acf3874ce3b8595c73f

SHA256
5bb07f2f85950245adb7e63fab3c22030387756d9bd34af6102eaa9ece7cd64f

SHA512
aea760d704a625a51adfc6ec638e815453de5412a4315ff540248e5eecc0a58e9836258df5926072dbb08955cc57b51fedc85aead6c6cd9e0617ab0f85325737

Download Submit
memory/188-270-0x0000000000000000-mapping.dmp

Download
memory/188-277-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/200-224-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/200-221-0x0000000000000000-mapping.dmp

Download
memory/296-139-0x0000000000000000-mapping.dmp

Download
memory/296-148-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/724-264-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/724-259-0x0000000000000000-mapping.dmp

Download
memory/776-192-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/776-187-0x0000000000000000-mapping.dmp

Download
memory/1016-114-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/1152-161-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/1152-158-0x0000000000000000-mapping.dmp

Download
memory/1324-272-0x0000000000000000-mapping.dmp

Download
memory/1324-275-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1404-194-0x0000000000000000-mapping.dmp

Download
memory/1404-200-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1452-203-0x0000000000000000-mapping.dmp

Download
memory/1452-211-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1496-256-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/1496-250-0x0000000000000000-mapping.dmp

Download
memory/1524-234-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1524-229-0x0000000000000000-mapping.dmp

Download
memory/1528-274-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1528-266-0x0000000000000000-mapping.dmp

Download
memory/1532-149-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1532-146-0x0000000000000000-mapping.dmp

Download
memory/1756-193-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1756-189-0x0000000000000000-mapping.dmp

Download
memory/1804-184-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1804-179-0x0000000000000000-mapping.dmp

Download
memory/2104-217-0x0000000000000000-mapping.dmp

Download
memory/2104-225-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2144-215-0x0000000000000000-mapping.dmp

Download
memory/2152-286-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2152-280-0x0000000000000000-mapping.dmp

Download
memory/2224-214-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/2224-209-0x0000000000000000-mapping.dmp

Download
memory/2256-183-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/2256-177-0x0000000000000000-mapping.dmp

Download
memory/2312-261-0x0000000000000000-mapping.dmp

Download
memory/2312-265-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2316-173-0x0000000000000000-mapping.dmp

Download
memory/2316-181-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2328-243-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2328-236-0x0000000000000000-mapping.dmp

Download
memory/2368-154-0x0000000000000000-mapping.dmp

Download
memory/2368-162-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2404-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2404-131-0x0000000000411000-mapping.dmp

Download
memory/2404-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2484-227-0x0000000000000000-mapping.dmp

Download
memory/2484-233-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2488-163-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2488-156-0x0000000000000000-mapping.dmp

Download
memory/2568-191-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2568-185-0x0000000000000000-mapping.dmp

Download
memory/2756-257-0x0000000000000000-mapping.dmp

Download
memory/2792-152-0x0000000000000000-mapping.dmp

Download
memory/2792-160-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2804-164-0x0000000000000000-mapping.dmp

Download
memory/2804-170-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2856-168-0x0000000000000000-mapping.dmp

Download
memory/2856-172-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2860-238-0x0000000000000000-mapping.dmp

Download
memory/2860-246-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2912-205-0x0000000000000000-mapping.dmp

Download
memory/2972-198-0x0000000000000000-mapping.dmp

Download
memory/3184-240-0x0000000000000000-mapping.dmp

Download
memory/3184-247-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3368-268-0x0000000000000000-mapping.dmp

Download
memory/3368-276-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3440-126-0x0000000000403670-mapping.dmp

Download
memory/3492-226-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3492-219-0x0000000000000000-mapping.dmp

Download
memory/3564-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-117-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3564-116-0x0000000000403670-mapping.dmp

Download
memory/3592-121-0x0000000000000000-mapping.dmp

Download
memory/3592-124-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/3676-182-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3676-175-0x0000000000000000-mapping.dmp

Download
memory/3752-166-0x0000000000000000-mapping.dmp

Download
memory/3752-171-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/3800-196-0x0000000000000000-mapping.dmp

Download
memory/3832-151-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3832-144-0x0000000000000000-mapping.dmp

Download
memory/3848-142-0x0000000000000000-mapping.dmp

Download
memory/3848-150-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3908-231-0x0000000000000000-mapping.dmp

Download
memory/3908-235-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3964-245-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3964-242-0x0000000000000000-mapping.dmp

Download
memory/3992-252-0x0000000000000000-mapping.dmp

Download
memory/3992-255-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4008-278-0x0000000000000000-mapping.dmp

Download
memory/4008-284-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/4076-248-0x0000000000000000-mapping.dmp

Download
memory/4076-254-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/4088-213-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4088-207-0x0000000000000000-mapping.dmp

Download
memory/4116-285-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/4116-282-0x0000000000000000-mapping.dmp

Download
memory/4152-295-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4152-287-0x0000000000000000-mapping.dmp

Download
memory/4176-296-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/4176-289-0x0000000000000000-mapping.dmp

Download
memory/4200-298-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/4200-291-0x0000000000000000-mapping.dmp

Download
memory/4224-297-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4224-293-0x0000000000000000-mapping.dmp

Download
memory/4264-299-0x0000000000000000-mapping.dmp

Download
memory/4264-305-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4288-306-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/4288-301-0x0000000000000000-mapping.dmp

Download
memory/4312-307-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4312-303-0x0000000000000000-mapping.dmp

Download
memory/4348-308-0x0000000000000000-mapping.dmp

Download
memory/4348-314-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4372-310-0x0000000000000000-mapping.dmp

Download
memory/4372-315-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4396-312-0x0000000000000000-mapping.dmp

Download
memory/4396-316-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4416-313-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads