warzonerat | a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf

Analysis

max time kernel
150s
max time network
12s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
Size

1.8MB
MD5

b6c8a4f497f3d7a552cb01272123a0f5
SHA1

ab35e3b7d7245a7ebffa74898d788c1938c244e9
SHA256

a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf
SHA512

c8507bc0cf0c1ea6e2ba127236fb3d78d93ead60dec2a71c85fa4067047c8df3077f184f383994ef32c5b67559c7a2d065a3c041258cc542ce9ff82e4aa05204

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
432	explorer.exe
1052	explorer.exe
1484	spoolsv.exe
1956	spoolsv.exe
1728	spoolsv.exe
1752	spoolsv.exe
1756	spoolsv.exe
2012	spoolsv.exe
1148	spoolsv.exe
900	spoolsv.exe
1684	spoolsv.exe
752	spoolsv.exe
804	spoolsv.exe
1680	spoolsv.exe
1360	spoolsv.exe
1824	spoolsv.exe
2028	spoolsv.exe
1644	spoolsv.exe
1200	spoolsv.exe
864	spoolsv.exe
924	spoolsv.exe
1348	spoolsv.exe
1848	spoolsv.exe
892	spoolsv.exe
788	spoolsv.exe
1596	spoolsv.exe
1256	spoolsv.exe
1516	spoolsv.exe
1308	spoolsv.exe
1976	spoolsv.exe
1544	spoolsv.exe
888	spoolsv.exe
972	spoolsv.exe
1604	spoolsv.exe
1600	spoolsv.exe
1992	spoolsv.exe
1192	spoolsv.exe
1952	spoolsv.exe
2008	spoolsv.exe
1664	spoolsv.exe
1940	spoolsv.exe
932	spoolsv.exe
1012	spoolsv.exe
436	spoolsv.exe
1912	spoolsv.exe
1920	spoolsv.exe
1080	spoolsv.exe
1300	spoolsv.exe
1780	spoolsv.exe
1636	spoolsv.exe
1648	spoolsv.exe
600	spoolsv.exe
1768	spoolsv.exe
1576	spoolsv.exe
840	spoolsv.exe
1864	spoolsv.exe
956	spoolsv.exe
980	spoolsv.exe
1424	spoolsv.exe
1068	spoolsv.exe
1160	spoolsv.exe
532	spoolsv.exe
1612	spoolsv.exe
1060	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exeexplorer.exe

pid	process
1680	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
1680	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe

Adds Run key to start application 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exea56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1084 set thread context of 1680	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 1084 set thread context of 1532	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	diskperf.exe
PID 432 set thread context of 1052	432	explorer.exe	explorer.exe
PID 432 set thread context of 824	432	explorer.exe	diskperf.exe
PID 1484 set thread context of 3096	1484	spoolsv.exe	spoolsv.exe
PID 1484 set thread context of 3104	1484	spoolsv.exe	diskperf.exe
PID 1956 set thread context of 3140	1956	spoolsv.exe	spoolsv.exe
PID 1956 set thread context of 3160	1956	spoolsv.exe	diskperf.exe
PID 1728 set thread context of 3176	1728	spoolsv.exe	spoolsv.exe
PID 1728 set thread context of 3184	1728	spoolsv.exe	diskperf.exe
PID 1752 set thread context of 3204	1752	spoolsv.exe	spoolsv.exe
PID 1752 set thread context of 3212	1752	spoolsv.exe	diskperf.exe
PID 1756 set thread context of 3240	1756	spoolsv.exe	spoolsv.exe
PID 1756 set thread context of 3248	1756	spoolsv.exe	diskperf.exe
PID 2012 set thread context of 3276	2012	spoolsv.exe	spoolsv.exe
PID 2012 set thread context of 3284	2012	spoolsv.exe	diskperf.exe
PID 1148 set thread context of 3304	1148	spoolsv.exe	spoolsv.exe
PID 1148 set thread context of 3312	1148	spoolsv.exe	diskperf.exe
PID 900 set thread context of 3340	900	spoolsv.exe	spoolsv.exe
PID 900 set thread context of 3348	900	spoolsv.exe	diskperf.exe
PID 1684 set thread context of 3372	1684	spoolsv.exe	spoolsv.exe
PID 1684 set thread context of 3380	1684	spoolsv.exe	diskperf.exe
PID 752 set thread context of 3408	752	spoolsv.exe	spoolsv.exe
PID 752 set thread context of 3416	752	spoolsv.exe	diskperf.exe
PID 804 set thread context of 3444	804	spoolsv.exe	spoolsv.exe
PID 804 set thread context of 3452	804	spoolsv.exe	diskperf.exe
PID 1680 set thread context of 3476	1680	spoolsv.exe	spoolsv.exe
PID 1680 set thread context of 3484	1680	spoolsv.exe	diskperf.exe
PID 1360 set thread context of 3512	1360	spoolsv.exe	spoolsv.exe
PID 1360 set thread context of 3520	1360	spoolsv.exe	diskperf.exe
PID 1824 set thread context of 3540	1824	spoolsv.exe	spoolsv.exe
PID 1824 set thread context of 3548	1824	spoolsv.exe	diskperf.exe
PID 2028 set thread context of 3580	2028	spoolsv.exe	spoolsv.exe
PID 2028 set thread context of 3588	2028	spoolsv.exe	diskperf.exe
PID 1644 set thread context of 3608	1644	spoolsv.exe	spoolsv.exe
PID 1644 set thread context of 3616	1644	spoolsv.exe	diskperf.exe
PID 1200 set thread context of 3628	1200	spoolsv.exe	spoolsv.exe
PID 1200 set thread context of 3636	1200	spoolsv.exe	diskperf.exe
PID 864 set thread context of 3656	864	spoolsv.exe	spoolsv.exe
PID 864 set thread context of 3664	864	spoolsv.exe	diskperf.exe
PID 924 set thread context of 3692	924	spoolsv.exe	spoolsv.exe
PID 924 set thread context of 3700	924	spoolsv.exe	diskperf.exe
PID 1348 set thread context of 3720	1348	spoolsv.exe	spoolsv.exe
PID 1348 set thread context of 3736	1348	spoolsv.exe	diskperf.exe
PID 1848 set thread context of 3728	1848	spoolsv.exe	spoolsv.exe
PID 1848 set thread context of 3744	1848	spoolsv.exe	diskperf.exe
PID 892 set thread context of 3768	892	spoolsv.exe	spoolsv.exe
PID 892 set thread context of 3776	892	spoolsv.exe	diskperf.exe
PID 1596 set thread context of 3784	1596	spoolsv.exe	spoolsv.exe
PID 1596 set thread context of 3804	1596	spoolsv.exe	diskperf.exe
PID 788 set thread context of 3812	788	spoolsv.exe	spoolsv.exe
PID 788 set thread context of 3820	788	spoolsv.exe	diskperf.exe
PID 1256 set thread context of 3840	1256	spoolsv.exe	spoolsv.exe
PID 1256 set thread context of 3848	1256	spoolsv.exe	diskperf.exe
PID 1308 set thread context of 3876	1308	spoolsv.exe	spoolsv.exe
PID 1308 set thread context of 3884	1308	spoolsv.exe	diskperf.exe
PID 1516 set thread context of 3868	1516	spoolsv.exe	spoolsv.exe
PID 1516 set thread context of 3904	1516	spoolsv.exe	diskperf.exe
PID 1976 set thread context of 3912	1976	spoolsv.exe	spoolsv.exe
PID 1976 set thread context of 3920	1976	spoolsv.exe	diskperf.exe
PID 1544 set thread context of 3928	1544	spoolsv.exe	spoolsv.exe
PID 1544 set thread context of 3936	1544	spoolsv.exe	diskperf.exe
PID 888 set thread context of 3956	888	spoolsv.exe	spoolsv.exe
PID 888 set thread context of 3964	888	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exea56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exeexplorer.exe

pid	process
1680	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1052 explorer.exe

pid	process
1052	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1680	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
1680	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
1052	explorer.exe
3096	spoolsv.exe
3096	spoolsv.exe
3140	spoolsv.exe
3140	spoolsv.exe
3176	spoolsv.exe
3176	spoolsv.exe
3204	spoolsv.exe
3204	spoolsv.exe
3240	spoolsv.exe
3240	spoolsv.exe
3276	spoolsv.exe
3276	spoolsv.exe
3304	spoolsv.exe
3304	spoolsv.exe
3340	spoolsv.exe
3340	spoolsv.exe
3372	spoolsv.exe
3372	spoolsv.exe
3408	spoolsv.exe
3408	spoolsv.exe
3444	spoolsv.exe
3444	spoolsv.exe
3476	spoolsv.exe
3476	spoolsv.exe
3512	spoolsv.exe
3512	spoolsv.exe
3540	spoolsv.exe
3540	spoolsv.exe
3580	spoolsv.exe
3580	spoolsv.exe
3608	spoolsv.exe
3608	spoolsv.exe
3628	spoolsv.exe
3628	spoolsv.exe
3656	spoolsv.exe
3656	spoolsv.exe
3692	spoolsv.exe
3692	spoolsv.exe
3720	spoolsv.exe
3728	spoolsv.exe
3720	spoolsv.exe
3728	spoolsv.exe
3768	spoolsv.exe
3768	spoolsv.exe
3784	spoolsv.exe
3784	spoolsv.exe
3812	spoolsv.exe
3812	spoolsv.exe
3840	spoolsv.exe
3840	spoolsv.exe
3876	spoolsv.exe
3876	spoolsv.exe
3868	spoolsv.exe
3868	spoolsv.exe
3912	spoolsv.exe
3912	spoolsv.exe
3928	spoolsv.exe
3928	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exea56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1084 wrote to memory of 1680	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 1084 wrote to memory of 1680	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 1084 wrote to memory of 1680	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 1084 wrote to memory of 1680	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 1084 wrote to memory of 1680	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 1084 wrote to memory of 1680	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 1084 wrote to memory of 1680	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 1084 wrote to memory of 1680	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 1084 wrote to memory of 1680	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
PID 1084 wrote to memory of 1532	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	diskperf.exe
PID 1084 wrote to memory of 1532	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	diskperf.exe
PID 1084 wrote to memory of 1532	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	diskperf.exe
PID 1084 wrote to memory of 1532	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	diskperf.exe
PID 1084 wrote to memory of 1532	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	diskperf.exe
PID 1084 wrote to memory of 1532	1084	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	diskperf.exe
PID 1680 wrote to memory of 432	1680	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	explorer.exe
PID 1680 wrote to memory of 432	1680	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	explorer.exe
PID 1680 wrote to memory of 432	1680	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	explorer.exe
PID 1680 wrote to memory of 432	1680	a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe	explorer.exe
PID 432 wrote to memory of 1052	432	explorer.exe	explorer.exe
PID 432 wrote to memory of 1052	432	explorer.exe	explorer.exe
PID 432 wrote to memory of 1052	432	explorer.exe	explorer.exe
PID 432 wrote to memory of 1052	432	explorer.exe	explorer.exe
PID 432 wrote to memory of 1052	432	explorer.exe	explorer.exe
PID 432 wrote to memory of 1052	432	explorer.exe	explorer.exe
PID 432 wrote to memory of 1052	432	explorer.exe	explorer.exe
PID 432 wrote to memory of 1052	432	explorer.exe	explorer.exe
PID 432 wrote to memory of 1052	432	explorer.exe	explorer.exe
PID 432 wrote to memory of 824	432	explorer.exe	diskperf.exe
PID 432 wrote to memory of 824	432	explorer.exe	diskperf.exe
PID 432 wrote to memory of 824	432	explorer.exe	diskperf.exe
PID 432 wrote to memory of 824	432	explorer.exe	diskperf.exe
PID 432 wrote to memory of 824	432	explorer.exe	diskperf.exe
PID 432 wrote to memory of 824	432	explorer.exe	diskperf.exe
PID 1052 wrote to memory of 1484	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1484	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1484	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1484	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1956	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1956	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1956	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1956	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1728	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1728	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1728	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1728	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1752	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1752	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1752	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1752	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1756	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1756	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1756	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1756	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 2012	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 2012	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 2012	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 2012	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1148	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1148	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1148	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 1148	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 900	1052	explorer.exe	spoolsv.exe
PID 1052 wrote to memory of 900	1052	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
"C:\Users\Admin\AppData\Local\Temp\a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe
"C:\Users\Admin\AppData\Local\Temp\a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:432

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3096

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3124

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3140

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3152

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3176

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3196

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3204

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3224

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3240

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3260

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3276

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3296

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3304

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3324

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3340

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3360

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3372

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3392

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3408

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3428

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3444

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3464

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3476

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3496

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3512

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3532

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3540

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3600

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3608

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3628

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3648

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3656

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3676

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3692

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3712

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3720

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3728

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3812

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3832

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3784

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3796

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3828

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3840

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3860

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3876

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3896

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3928

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3948

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3956

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3984

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4036

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3992

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4016

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4044

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4064

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4080

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:704

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2008

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3220

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3272

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1620

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3276

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3320

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3356

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3400

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1096

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:300

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:292

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3504

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3516

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1300

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3624

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1524

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3660

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:328

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3732

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3764

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1576

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:840

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3840

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1196

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:272

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1480

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:288

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4020

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4032

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:768

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:532

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1144

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1540

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3344

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:620

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:952

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1096

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1616

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3556

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:572

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3624

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:728

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1564

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3764

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1708

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3784

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1696

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1196

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:288

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1412

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3944

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3132

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1532

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
b6c8a4f497f3d7a552cb01272123a0f5

SHA1
ab35e3b7d7245a7ebffa74898d788c1938c244e9

SHA256
a56e874dafa172b5366252e62b9776a1d61c9c4287c712cc56f65571bcd59acf

SHA512
c8507bc0cf0c1ea6e2ba127236fb3d78d93ead60dec2a71c85fa4067047c8df3077f184f383994ef32c5b67559c7a2d065a3c041258cc542ce9ff82e4aa05204

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
4e0e3800a923298c3ca1ed4ac2c04d43

SHA1
749e1ee0631dbe0c0d3d0ad3b9f2452cc03e78e3

SHA256
45e5f03018992f1e630ba7ec8c91ae66eb7f368367478fb5cf30a0b0caef2ce9

SHA512
ef93a08f98ac661762fd45efe60045de37e448dfafbbce73e4a72adb8aaf23ae6f14b7dc78c71c5b2b91be496c15478554d8192043f508b383eb04d8bd261590

Download Submit
C:\Windows\system\explorer.exe
MD5
4e0e3800a923298c3ca1ed4ac2c04d43

SHA1
749e1ee0631dbe0c0d3d0ad3b9f2452cc03e78e3

SHA256
45e5f03018992f1e630ba7ec8c91ae66eb7f368367478fb5cf30a0b0caef2ce9

SHA512
ef93a08f98ac661762fd45efe60045de37e448dfafbbce73e4a72adb8aaf23ae6f14b7dc78c71c5b2b91be496c15478554d8192043f508b383eb04d8bd261590

Download Submit
C:\Windows\system\explorer.exe
MD5
4e0e3800a923298c3ca1ed4ac2c04d43

SHA1
749e1ee0631dbe0c0d3d0ad3b9f2452cc03e78e3

SHA256
45e5f03018992f1e630ba7ec8c91ae66eb7f368367478fb5cf30a0b0caef2ce9

SHA512
ef93a08f98ac661762fd45efe60045de37e448dfafbbce73e4a72adb8aaf23ae6f14b7dc78c71c5b2b91be496c15478554d8192043f508b383eb04d8bd261590

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\??\c:\windows\system\explorer.exe
MD5
4e0e3800a923298c3ca1ed4ac2c04d43

SHA1
749e1ee0631dbe0c0d3d0ad3b9f2452cc03e78e3

SHA256
45e5f03018992f1e630ba7ec8c91ae66eb7f368367478fb5cf30a0b0caef2ce9

SHA512
ef93a08f98ac661762fd45efe60045de37e448dfafbbce73e4a72adb8aaf23ae6f14b7dc78c71c5b2b91be496c15478554d8192043f508b383eb04d8bd261590

Download Submit
\Windows\system\explorer.exe
MD5
4e0e3800a923298c3ca1ed4ac2c04d43

SHA1
749e1ee0631dbe0c0d3d0ad3b9f2452cc03e78e3

SHA256
45e5f03018992f1e630ba7ec8c91ae66eb7f368367478fb5cf30a0b0caef2ce9

SHA512
ef93a08f98ac661762fd45efe60045de37e448dfafbbce73e4a72adb8aaf23ae6f14b7dc78c71c5b2b91be496c15478554d8192043f508b383eb04d8bd261590

Download Submit
\Windows\system\explorer.exe
MD5
4e0e3800a923298c3ca1ed4ac2c04d43

SHA1
749e1ee0631dbe0c0d3d0ad3b9f2452cc03e78e3

SHA256
45e5f03018992f1e630ba7ec8c91ae66eb7f368367478fb5cf30a0b0caef2ce9

SHA512
ef93a08f98ac661762fd45efe60045de37e448dfafbbce73e4a72adb8aaf23ae6f14b7dc78c71c5b2b91be496c15478554d8192043f508b383eb04d8bd261590

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
\Windows\system\spoolsv.exe
MD5
66c328f05ab81725c787e3ca40e40672

SHA1
2e0645a1971c49e93c7690f6dc9a0b85a8a3949d

SHA256
34d5c19ec33180459efd50ad51c05218e5212e94f0bce6d90cb03bb593366075

SHA512
250388f5e9dfaaa17807158797c20511d72c003b07e85cd3cc358c851078513c86a37cb3985a22501533e92f62462b099b2b26a147b75626c0e0b73db4992e2c

Download Submit
memory/432-73-0x0000000000000000-mapping.dmp

Download
memory/432-78-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/436-282-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/436-272-0x0000000000000000-mapping.dmp

Download
memory/600-293-0x0000000000000000-mapping.dmp

Download
memory/600-301-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/752-148-0x0000000000000000-mapping.dmp

Download
memory/788-214-0x0000000000000000-mapping.dmp

Download
memory/788-223-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/804-156-0x0000000000000000-mapping.dmp

Download
memory/804-159-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/824-86-0x0000000000411000-mapping.dmp

Download
memory/840-303-0x0000000000000000-mapping.dmp

Download
memory/864-198-0x0000000000000000-mapping.dmp

Download
memory/864-206-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/888-234-0x0000000000000000-mapping.dmp

Download
memory/888-244-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/892-212-0x0000000000000000-mapping.dmp

Download
memory/900-149-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/900-137-0x0000000000000000-mapping.dmp

Download
memory/924-203-0x0000000000000000-mapping.dmp

Download
memory/924-207-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/932-268-0x0000000000000000-mapping.dmp

Download
memory/932-280-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/956-305-0x0000000000000000-mapping.dmp

Download
memory/972-245-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/972-236-0x0000000000000000-mapping.dmp

Download
memory/980-312-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/980-306-0x0000000000000000-mapping.dmp

Download
memory/1012-281-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1012-270-0x0000000000000000-mapping.dmp

Download
memory/1052-81-0x0000000000403670-mapping.dmp

Download
memory/1068-314-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1068-308-0x0000000000000000-mapping.dmp

Download
memory/1080-278-0x0000000000000000-mapping.dmp

Download
memory/1084-60-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1084-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1148-145-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1148-131-0x0000000000000000-mapping.dmp

Download
memory/1160-315-0x0000000000000000-mapping.dmp

Download
memory/1192-263-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1192-251-0x0000000000000000-mapping.dmp

Download
memory/1200-195-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1200-191-0x0000000000000000-mapping.dmp

Download
memory/1256-218-0x0000000000000000-mapping.dmp

Download
memory/1256-225-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1300-286-0x0000000000000000-mapping.dmp

Download
memory/1308-241-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1308-228-0x0000000000000000-mapping.dmp

Download
memory/1348-208-0x0000000000000000-mapping.dmp

Download
memory/1360-167-0x0000000000000000-mapping.dmp

Download
memory/1424-313-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1424-307-0x0000000000000000-mapping.dmp

Download
memory/1484-96-0x0000000000000000-mapping.dmp

Download
memory/1484-104-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1516-226-0x0000000000000000-mapping.dmp

Download
memory/1532-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1532-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1532-68-0x0000000000411000-mapping.dmp

Download
memory/1544-232-0x0000000000000000-mapping.dmp

Download
memory/1544-243-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1576-296-0x0000000000000000-mapping.dmp

Download
memory/1596-224-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1596-216-0x0000000000000000-mapping.dmp

Download
memory/1600-261-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1600-247-0x0000000000000000-mapping.dmp

Download
memory/1604-238-0x0000000000000000-mapping.dmp

Download
memory/1636-290-0x0000000000000000-mapping.dmp

Download
memory/1636-298-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1644-186-0x0000000000000000-mapping.dmp

Download
memory/1644-194-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1648-292-0x0000000000000000-mapping.dmp

Download
memory/1648-300-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1664-266-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1664-257-0x0000000000000000-mapping.dmp

Download
memory/1680-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1680-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1680-162-0x0000000000000000-mapping.dmp

Download
memory/1680-170-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1680-63-0x0000000000403670-mapping.dmp

Download
memory/1684-142-0x0000000000000000-mapping.dmp

Download
memory/1684-151-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1728-108-0x0000000000000000-mapping.dmp

Download
memory/1728-117-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1752-120-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1752-113-0x0000000000000000-mapping.dmp

Download
memory/1756-128-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1756-119-0x0000000000000000-mapping.dmp

Download
memory/1768-294-0x0000000000000000-mapping.dmp

Download
memory/1780-288-0x0000000000000000-mapping.dmp

Download
memory/1780-297-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1824-174-0x0000000000000000-mapping.dmp

Download
memory/1848-221-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1848-210-0x0000000000000000-mapping.dmp

Download
memory/1864-304-0x0000000000000000-mapping.dmp

Download
memory/1864-310-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1912-274-0x0000000000000000-mapping.dmp

Download
memory/1920-276-0x0000000000000000-mapping.dmp

Download
memory/1920-284-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1940-267-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1940-259-0x0000000000000000-mapping.dmp

Download
memory/1952-264-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1952-253-0x0000000000000000-mapping.dmp

Download
memory/1956-105-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1956-101-0x0000000000000000-mapping.dmp

Download
memory/1976-230-0x0000000000000000-mapping.dmp

Download
memory/1992-249-0x0000000000000000-mapping.dmp

Download
memory/2008-265-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2008-255-0x0000000000000000-mapping.dmp

Download
memory/2012-132-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2012-125-0x0000000000000000-mapping.dmp

Download
memory/2028-179-0x0000000000000000-mapping.dmp

Download
memory/2028-183-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download