warzonerat | bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1

Analysis

max time kernel
151s
max time network
121s
platform
windows10_x64
resource
win10v20210408
submitted
05-05-2021 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b78f5c47_by_Libranalysis.exe
Size

1.8MB
MD5

b78f5c47acef55129ff8d9862c477dcf
SHA1

4c8d602143a1a2fd5201ec4214cee155101e5911
SHA256

bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1
SHA512

d18d7a9999a9f50236efe551667dc9c6e226cfd6151a45d7712d980779599d9f5f81f74d97910b73f907e0ba54a85fb38fb5c489ac3cbbbaf49a39f7be28330e

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3344	explorer.exe
3164	explorer.exe
3600	spoolsv.exe
3876	spoolsv.exe
2768	spoolsv.exe
3448	spoolsv.exe
3500	spoolsv.exe
1676	spoolsv.exe
2284	spoolsv.exe
2224	spoolsv.exe
3908	spoolsv.exe
1212	spoolsv.exe
908	spoolsv.exe
208	spoolsv.exe
3144	spoolsv.exe
1320	spoolsv.exe
1992	spoolsv.exe
1512	spoolsv.exe
3384	spoolsv.exe
3484	spoolsv.exe
2300	spoolsv.exe
2732	spoolsv.exe
3412	spoolsv.exe
3156	spoolsv.exe
3100	spoolsv.exe
1056	spoolsv.exe
2424	spoolsv.exe
2124	spoolsv.exe
3052	spoolsv.exe
1260	spoolsv.exe
4088	spoolsv.exe
2524	spoolsv.exe
4068	spoolsv.exe
3912	spoolsv.exe
588	spoolsv.exe
2064	spoolsv.exe
3240	spoolsv.exe
808	spoolsv.exe
2988	spoolsv.exe
1548	spoolsv.exe
2056	spoolsv.exe
3040	spoolsv.exe
1300	spoolsv.exe
2880	spoolsv.exe
3676	spoolsv.exe
780	spoolsv.exe
856	spoolsv.exe
1796	spoolsv.exe
812	spoolsv.exe
900	spoolsv.exe
4120	spoolsv.exe
4160	spoolsv.exe
4184	spoolsv.exe
4208	spoolsv.exe
4244	spoolsv.exe
4268	spoolsv.exe
4292	spoolsv.exe
4332	spoolsv.exe
4356	spoolsv.exe
4380	spoolsv.exe
4404	spoolsv.exe
4440	spoolsv.exe
4460	spoolsv.exe
4476	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeb78f5c47_by_Libranalysis.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	b78f5c47_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

b78f5c47_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 808 set thread context of 936	808	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 808 set thread context of 2956	808	b78f5c47_by_Libranalysis.exe	diskperf.exe
PID 3344 set thread context of 3164	3344	explorer.exe	explorer.exe
PID 3600 set thread context of 6680	3600	spoolsv.exe	spoolsv.exe
PID 3600 set thread context of 6704	3600	spoolsv.exe	diskperf.exe
PID 3876 set thread context of 6768	3876	spoolsv.exe	spoolsv.exe
PID 2768 set thread context of 6824	2768	spoolsv.exe	spoolsv.exe
PID 3876 set thread context of 6796	3876	spoolsv.exe	diskperf.exe
PID 2768 set thread context of 6848	2768	spoolsv.exe	diskperf.exe
PID 3448 set thread context of 6924	3448	spoolsv.exe	spoolsv.exe
PID 3448 set thread context of 6952	3448	spoolsv.exe	diskperf.exe
PID 3500 set thread context of 6976	3500	spoolsv.exe	spoolsv.exe
PID 3500 set thread context of 7000	3500	spoolsv.exe	diskperf.exe
PID 1676 set thread context of 7028	1676	spoolsv.exe	spoolsv.exe
PID 1676 set thread context of 7064	1676	spoolsv.exe	diskperf.exe
PID 2284 set thread context of 7128	2284	spoolsv.exe	spoolsv.exe
PID 2224 set thread context of 7148	2224	spoolsv.exe	spoolsv.exe
PID 2284 set thread context of 7164	2284	spoolsv.exe	diskperf.exe
PID 2224 set thread context of 3672	2224	spoolsv.exe	diskperf.exe
PID 3908 set thread context of 1908	3908	spoolsv.exe	spoolsv.exe
PID 3908 set thread context of 6780	3908	spoolsv.exe	diskperf.exe
PID 1212 set thread context of 748	1212	spoolsv.exe	spoolsv.exe
PID 1212 set thread context of 3140	1212	spoolsv.exe	diskperf.exe
PID 908 set thread context of 6712	908	spoolsv.exe	spoolsv.exe
PID 908 set thread context of 6872	908	spoolsv.exe	diskperf.exe
PID 208 set thread context of 3696	208	spoolsv.exe	spoolsv.exe
PID 208 set thread context of 2232	208	spoolsv.exe	diskperf.exe
PID 3144 set thread context of 3328	3144	spoolsv.exe	spoolsv.exe
PID 3144 set thread context of 7096	3144	spoolsv.exe	diskperf.exe
PID 1320 set thread context of 7084	1320	spoolsv.exe	spoolsv.exe
PID 1320 set thread context of 7056	1320	spoolsv.exe	diskperf.exe
PID 1992 set thread context of 6700	1992	spoolsv.exe	spoolsv.exe
PID 1512 set thread context of 3768	1512	spoolsv.exe	spoolsv.exe
PID 1512 set thread context of 6784	1512	spoolsv.exe	diskperf.exe
PID 3384 set thread context of 4044	3384	spoolsv.exe	spoolsv.exe
PID 3384 set thread context of 6692	3384	spoolsv.exe	diskperf.exe
PID 3484 set thread context of 6696	3484	spoolsv.exe	spoolsv.exe
PID 3484 set thread context of 4072	3484	spoolsv.exe	diskperf.exe
PID 2300 set thread context of 512	2300	spoolsv.exe	spoolsv.exe
PID 2300 set thread context of 6948	2300	spoolsv.exe	diskperf.exe
PID 2732 set thread context of 1560	2732	spoolsv.exe	spoolsv.exe
PID 2732 set thread context of 6752	2732	spoolsv.exe	diskperf.exe
PID 3412 set thread context of 3304	3412	spoolsv.exe	spoolsv.exe
PID 3412 set thread context of 3768	3412	spoolsv.exe	diskperf.exe
PID 3156 set thread context of 3932	3156	spoolsv.exe	spoolsv.exe
PID 3156 set thread context of 1904	3156	spoolsv.exe	diskperf.exe
PID 3100 set thread context of 4176	3100	spoolsv.exe	spoolsv.exe
PID 3100 set thread context of 2384	3100	spoolsv.exe	diskperf.exe
PID 1056 set thread context of 2180	1056	spoolsv.exe	spoolsv.exe
PID 1056 set thread context of 544	1056	spoolsv.exe	diskperf.exe
PID 2424 set thread context of 1376	2424	spoolsv.exe	spoolsv.exe
PID 2424 set thread context of 3860	2424	spoolsv.exe	diskperf.exe
PID 2124 set thread context of 4484	2124	spoolsv.exe	spoolsv.exe
PID 2124 set thread context of 2556	2124	spoolsv.exe	diskperf.exe
PID 3052 set thread context of 1652	3052	spoolsv.exe	spoolsv.exe
PID 1260 set thread context of 4564	1260	spoolsv.exe	spoolsv.exe
PID 4088 set thread context of 2148	4088	spoolsv.exe	spoolsv.exe
PID 4088 set thread context of 2188	4088	spoolsv.exe	diskperf.exe
PID 2524 set thread context of 296	2524	spoolsv.exe	spoolsv.exe
PID 2524 set thread context of 6700	2524	spoolsv.exe	diskperf.exe
PID 4068 set thread context of 4676	4068	spoolsv.exe	spoolsv.exe
PID 4068 set thread context of 4488	4068	spoolsv.exe	diskperf.exe
PID 3912 set thread context of 1168	3912	spoolsv.exe	spoolsv.exe
PID 3912 set thread context of 1836	3912	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

b78f5c47_by_Libranalysis.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	b78f5c47_by_Libranalysis.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b78f5c47_by_Libranalysis.exeexplorer.exe

pid	process
936	b78f5c47_by_Libranalysis.exe
936	b78f5c47_by_Libranalysis.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3164 explorer.exe

pid	process
3164	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
936	b78f5c47_by_Libranalysis.exe
936	b78f5c47_by_Libranalysis.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
3164	explorer.exe
6680	spoolsv.exe
6680	spoolsv.exe
6768	spoolsv.exe
6768	spoolsv.exe
6824	spoolsv.exe
6824	spoolsv.exe
6924	spoolsv.exe
6976	spoolsv.exe
6924	spoolsv.exe
6976	spoolsv.exe
7028	spoolsv.exe
7028	spoolsv.exe
7128	spoolsv.exe
7148	spoolsv.exe
7128	spoolsv.exe
1908	spoolsv.exe
1908	spoolsv.exe
7148	spoolsv.exe
748	spoolsv.exe
748	spoolsv.exe
6712	spoolsv.exe
6712	spoolsv.exe
3696	spoolsv.exe
3696	spoolsv.exe
3328	spoolsv.exe
3328	spoolsv.exe
7084	spoolsv.exe
7084	spoolsv.exe
6700	spoolsv.exe
6700	spoolsv.exe
3768	spoolsv.exe
3768	spoolsv.exe
4044	spoolsv.exe
4044	spoolsv.exe
6696	spoolsv.exe
6696	spoolsv.exe
512	spoolsv.exe
512	spoolsv.exe
1560	spoolsv.exe
1560	spoolsv.exe
3304	spoolsv.exe
3304	spoolsv.exe
3932	spoolsv.exe
3932	spoolsv.exe
4176	spoolsv.exe
4176	spoolsv.exe
2180	spoolsv.exe
2180	spoolsv.exe
1376	spoolsv.exe
1376	spoolsv.exe
4484	spoolsv.exe
4484	spoolsv.exe
1652	spoolsv.exe
1652	spoolsv.exe
4564	spoolsv.exe
4564	spoolsv.exe
2148	spoolsv.exe
2148	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b78f5c47_by_Libranalysis.exeb78f5c47_by_Libranalysis.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 808 wrote to memory of 936	808	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 808 wrote to memory of 936	808	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 808 wrote to memory of 936	808	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 808 wrote to memory of 936	808	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 808 wrote to memory of 936	808	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 808 wrote to memory of 936	808	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 808 wrote to memory of 936	808	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 808 wrote to memory of 936	808	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 808 wrote to memory of 2956	808	b78f5c47_by_Libranalysis.exe	diskperf.exe
PID 808 wrote to memory of 2956	808	b78f5c47_by_Libranalysis.exe	diskperf.exe
PID 808 wrote to memory of 2956	808	b78f5c47_by_Libranalysis.exe	diskperf.exe
PID 808 wrote to memory of 2956	808	b78f5c47_by_Libranalysis.exe	diskperf.exe
PID 808 wrote to memory of 2956	808	b78f5c47_by_Libranalysis.exe	diskperf.exe
PID 936 wrote to memory of 3344	936	b78f5c47_by_Libranalysis.exe	explorer.exe
PID 936 wrote to memory of 3344	936	b78f5c47_by_Libranalysis.exe	explorer.exe
PID 936 wrote to memory of 3344	936	b78f5c47_by_Libranalysis.exe	explorer.exe
PID 3344 wrote to memory of 3164	3344	explorer.exe	explorer.exe
PID 3344 wrote to memory of 3164	3344	explorer.exe	explorer.exe
PID 3344 wrote to memory of 3164	3344	explorer.exe	explorer.exe
PID 3344 wrote to memory of 3164	3344	explorer.exe	explorer.exe
PID 3344 wrote to memory of 3164	3344	explorer.exe	explorer.exe
PID 3344 wrote to memory of 3164	3344	explorer.exe	explorer.exe
PID 3344 wrote to memory of 3164	3344	explorer.exe	explorer.exe
PID 3344 wrote to memory of 3164	3344	explorer.exe	explorer.exe
PID 3344 wrote to memory of 1164	3344	explorer.exe	diskperf.exe
PID 3344 wrote to memory of 1164	3344	explorer.exe	diskperf.exe
PID 3344 wrote to memory of 1164	3344	explorer.exe	diskperf.exe
PID 3164 wrote to memory of 3600	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3600	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3600	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3876	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3876	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3876	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 2768	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 2768	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 2768	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3448	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3448	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3448	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3500	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3500	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3500	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 1676	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 1676	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 1676	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 2284	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 2284	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 2284	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 2224	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 2224	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 2224	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3908	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3908	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3908	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 1212	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 1212	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 1212	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 908	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 908	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 908	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 208	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 208	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 208	3164	explorer.exe	spoolsv.exe
PID 3164 wrote to memory of 3144	3164	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\b78f5c47_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\b78f5c47_by_Libranalysis.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\b78f5c47_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\b78f5c47_by_Libranalysis.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3344

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6680

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6900

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6924

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7028

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7128

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3848

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7148

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6712

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6984

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3696

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7048

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3328

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7072

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6700

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6808

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4044

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6696

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2620

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:512

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7124

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1560

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3364

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3304

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4048

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3932

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1764

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4176

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2180

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1376

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4472

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4484

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4500

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1652

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4548

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4564

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:344

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2148

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2260

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:296

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4676

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4484

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1168

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4536

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3868

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4176

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4776

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4600

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2148

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2872

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4856

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4708

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3932

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4932

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4948

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1276

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4788

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4804

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5016

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3648

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3788

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:508

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4916

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4156

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3920

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4824

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2876

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2148

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4368

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6864

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:2956

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
b78f5c47acef55129ff8d9862c477dcf

SHA1
4c8d602143a1a2fd5201ec4214cee155101e5911

SHA256
bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1

SHA512
d18d7a9999a9f50236efe551667dc9c6e226cfd6151a45d7712d980779599d9f5f81f74d97910b73f907e0ba54a85fb38fb5c489ac3cbbbaf49a39f7be28330e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
0281f9019aec5239ea6f9ab34837431a

SHA1
e9d9ae7939510f53a1b44ef7ca18bd3621ca33a5

SHA256
aa7a2d898911640aa7b7bae1856bf7344c727fecfc75b7df0ad81fccf15c540c

SHA512
274b07a15bd61efd2f69763ce47d60563a066b92f173afdb83da6e71230b72f751c18eb1b308594f5dc547bb1ea2db41433a3f48aaba65987143ae8cc0de6734

Download Submit
C:\Windows\System\explorer.exe
MD5
0281f9019aec5239ea6f9ab34837431a

SHA1
e9d9ae7939510f53a1b44ef7ca18bd3621ca33a5

SHA256
aa7a2d898911640aa7b7bae1856bf7344c727fecfc75b7df0ad81fccf15c540c

SHA512
274b07a15bd61efd2f69763ce47d60563a066b92f173afdb83da6e71230b72f751c18eb1b308594f5dc547bb1ea2db41433a3f48aaba65987143ae8cc0de6734

Download Submit
C:\Windows\System\explorer.exe
MD5
0281f9019aec5239ea6f9ab34837431a

SHA1
e9d9ae7939510f53a1b44ef7ca18bd3621ca33a5

SHA256
aa7a2d898911640aa7b7bae1856bf7344c727fecfc75b7df0ad81fccf15c540c

SHA512
274b07a15bd61efd2f69763ce47d60563a066b92f173afdb83da6e71230b72f751c18eb1b308594f5dc547bb1ea2db41433a3f48aaba65987143ae8cc0de6734

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
C:\Windows\System\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
\??\c:\windows\system\explorer.exe
MD5
0281f9019aec5239ea6f9ab34837431a

SHA1
e9d9ae7939510f53a1b44ef7ca18bd3621ca33a5

SHA256
aa7a2d898911640aa7b7bae1856bf7344c727fecfc75b7df0ad81fccf15c540c

SHA512
274b07a15bd61efd2f69763ce47d60563a066b92f173afdb83da6e71230b72f751c18eb1b308594f5dc547bb1ea2db41433a3f48aaba65987143ae8cc0de6734

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
262f8ce7826babcb109ab66e2a3c1f24

SHA1
5f3211384a472cf70c2687ae63f31bdc7f9104d2

SHA256
6f01d604eecfacb6e19296a62e90b63c6af5e40af7f90d150f4e578bae902b5b

SHA512
927ab0980bd126472bca41c5ac94f494766a355a29c8ee68fd82cc014aeee9c3ba47241536951b85fc7906c7e44e60d372d38ada4f58b75b3ab90c2423c639ff

Download Submit
memory/208-171-0x0000000000000000-mapping.dmp

Download
memory/208-175-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/588-242-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/588-235-0x0000000000000000-mapping.dmp

Download
memory/780-268-0x0000000000000000-mapping.dmp

Download
memory/780-274-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/808-251-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/808-245-0x0000000000000000-mapping.dmp

Download
memory/808-114-0x0000000000AB0000-0x0000000000B3E000-memory.dmp

Filesize
568KB

Download
memory/812-277-0x0000000000000000-mapping.dmp

Download
memory/812-285-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/856-273-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/856-270-0x0000000000000000-mapping.dmp

Download
memory/900-286-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/900-279-0x0000000000000000-mapping.dmp

Download
memory/908-174-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/908-169-0x0000000000000000-mapping.dmp

Download
memory/936-123-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/936-116-0x0000000000403670-mapping.dmp

Download
memory/936-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1056-208-0x0000000000000000-mapping.dmp

Download
memory/1056-213-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1212-167-0x0000000000000000-mapping.dmp

Download
memory/1260-223-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1260-219-0x0000000000000000-mapping.dmp

Download
memory/1300-265-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1300-258-0x0000000000000000-mapping.dmp

Download
memory/1320-186-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/1320-178-0x0000000000000000-mapping.dmp

Download
memory/1512-182-0x0000000000000000-mapping.dmp

Download
memory/1512-185-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1548-253-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1548-249-0x0000000000000000-mapping.dmp

Download
memory/1676-152-0x0000000000000000-mapping.dmp

Download
memory/1676-155-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1796-275-0x0000000000000000-mapping.dmp

Download
memory/1992-187-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1992-180-0x0000000000000000-mapping.dmp

Download
memory/2056-262-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/2056-254-0x0000000000000000-mapping.dmp

Download
memory/2064-243-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2064-237-0x0000000000000000-mapping.dmp

Download
memory/2124-215-0x0000000000000000-mapping.dmp

Download
memory/2124-221-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/2224-166-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2224-160-0x0000000000000000-mapping.dmp

Download
memory/2284-158-0x0000000000000000-mapping.dmp

Download
memory/2284-164-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2300-192-0x0000000000000000-mapping.dmp

Download
memory/2424-210-0x0000000000000000-mapping.dmp

Download
memory/2424-214-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2524-226-0x0000000000000000-mapping.dmp

Download
memory/2524-232-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2732-197-0x0000000000000000-mapping.dmp

Download
memory/2732-203-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2768-145-0x0000000000000000-mapping.dmp

Download
memory/2768-154-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2880-263-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2880-260-0x0000000000000000-mapping.dmp

Download
memory/2956-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2956-124-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2956-118-0x0000000000411000-mapping.dmp

Download
memory/2988-247-0x0000000000000000-mapping.dmp

Download
memory/2988-252-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/3040-264-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3040-256-0x0000000000000000-mapping.dmp

Download
memory/3052-217-0x0000000000000000-mapping.dmp

Download
memory/3052-222-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3100-206-0x0000000000000000-mapping.dmp

Download
memory/3100-212-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3144-176-0x0000000000000000-mapping.dmp

Download
memory/3144-184-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3156-205-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3156-201-0x0000000000000000-mapping.dmp

Download
memory/3164-131-0x0000000000403670-mapping.dmp

Download
memory/3240-244-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3240-239-0x0000000000000000-mapping.dmp

Download
memory/3344-126-0x0000000000000000-mapping.dmp

Download
memory/3344-129-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/3384-188-0x0000000000000000-mapping.dmp

Download
memory/3384-194-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3412-199-0x0000000000000000-mapping.dmp

Download
memory/3412-204-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3448-147-0x0000000000000000-mapping.dmp

Download
memory/3448-156-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3484-190-0x0000000000000000-mapping.dmp

Download
memory/3484-195-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/3500-157-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/3500-149-0x0000000000000000-mapping.dmp

Download
memory/3600-144-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/3600-139-0x0000000000000000-mapping.dmp

Download
memory/3676-266-0x0000000000000000-mapping.dmp

Download
memory/3676-272-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3876-142-0x0000000000000000-mapping.dmp

Download
memory/3876-151-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3908-165-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3908-162-0x0000000000000000-mapping.dmp

Download
memory/3912-231-0x0000000000000000-mapping.dmp

Download
memory/3912-241-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4068-228-0x0000000000000000-mapping.dmp

Download
memory/4068-233-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4088-224-0x0000000000000000-mapping.dmp

Download
memory/4088-230-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4120-284-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4120-281-0x0000000000000000-mapping.dmp

Download
memory/4160-293-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4160-287-0x0000000000000000-mapping.dmp

Download
memory/4184-289-0x0000000000000000-mapping.dmp

Download
memory/4184-294-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4208-295-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4208-291-0x0000000000000000-mapping.dmp

Download
memory/4244-302-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4244-296-0x0000000000000000-mapping.dmp

Download
memory/4268-298-0x0000000000000000-mapping.dmp

Download
memory/4268-303-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4292-300-0x0000000000000000-mapping.dmp

Download
memory/4292-304-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4332-312-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4332-305-0x0000000000000000-mapping.dmp

Download
memory/4356-307-0x0000000000000000-mapping.dmp

Download
memory/4356-313-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4380-309-0x0000000000000000-mapping.dmp

Download
memory/4380-314-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4404-311-0x0000000000000000-mapping.dmp

Download
memory/4404-315-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4440-316-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads