warzonerat | 9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339

Analysis

max time kernel
144s
max time network
129s
platform
windows10_x64
resource
win10v20210408
submitted
05-05-2021 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
Size

1.8MB
MD5

fd27da880372209151379289b0e57d11
SHA1

9d9236804d7a0574ebff234bec1bea519497c27f
SHA256

9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339
SHA512

d69b43d30cefdf0255c96763f1e53469ff3c0b1dada711b606959616e7af0608fd4cdc6e4b86b2cf174fb856e6ab01f089d6bf295217f6966c8b2576b34c338d

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2816	explorer.exe
2232	explorer.exe
1012	spoolsv.exe
3868	spoolsv.exe
3844	spoolsv.exe
4000	spoolsv.exe
3160	spoolsv.exe
3156	spoolsv.exe
3764	spoolsv.exe
3720	spoolsv.exe
4064	spoolsv.exe
768	spoolsv.exe
632	spoolsv.exe
1096	spoolsv.exe
2788	spoolsv.exe
580	spoolsv.exe
1656	spoolsv.exe
1448	spoolsv.exe
3504	spoolsv.exe
3548	spoolsv.exe
4044	spoolsv.exe
3968	spoolsv.exe
3380	spoolsv.exe
2300	spoolsv.exe
1492	spoolsv.exe
3176	spoolsv.exe
1452	spoolsv.exe
2592	spoolsv.exe
2164	spoolsv.exe
4032	spoolsv.exe
3148	spoolsv.exe
3124	spoolsv.exe
1616	spoolsv.exe
2836	spoolsv.exe
3960	spoolsv.exe
200	spoolsv.exe
2960	spoolsv.exe
3652	spoolsv.exe
3592	spoolsv.exe
2576	spoolsv.exe
1168	spoolsv.exe
2256	spoolsv.exe
860	spoolsv.exe
2976	spoolsv.exe
1004	spoolsv.exe
2904	spoolsv.exe
2688	spoolsv.exe
968	spoolsv.exe
1040	spoolsv.exe
1540	spoolsv.exe
1000	spoolsv.exe
3856	spoolsv.exe
4116	spoolsv.exe
4152	spoolsv.exe
4176	spoolsv.exe
4200	spoolsv.exe
4224	spoolsv.exe
4264	spoolsv.exe
4288	spoolsv.exe
4312	spoolsv.exe
4348	spoolsv.exe
4368	spoolsv.exe
4392	spoolsv.exe
4408	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 46 IoCs

Processes:

9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 804 set thread context of 2688	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 804 set thread context of 3020	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	diskperf.exe
PID 2816 set thread context of 2232	2816	explorer.exe	explorer.exe
PID 1012 set thread context of 6656	1012	spoolsv.exe	spoolsv.exe
PID 1012 set thread context of 6680	1012	spoolsv.exe	diskperf.exe
PID 3868 set thread context of 6760	3868	spoolsv.exe	spoolsv.exe
PID 3844 set thread context of 6816	3844	spoolsv.exe	spoolsv.exe
PID 3844 set thread context of 6844	3844	spoolsv.exe	diskperf.exe
PID 4000 set thread context of 6908	4000	spoolsv.exe	spoolsv.exe
PID 3160 set thread context of 6920	3160	spoolsv.exe	spoolsv.exe
PID 4000 set thread context of 6940	4000	spoolsv.exe	diskperf.exe
PID 3160 set thread context of 6956	3160	spoolsv.exe	diskperf.exe
PID 3156 set thread context of 7032	3156	spoolsv.exe	spoolsv.exe
PID 3156 set thread context of 7048	3156	spoolsv.exe	diskperf.exe
PID 3764 set thread context of 7088	3764	spoolsv.exe	spoolsv.exe
PID 3764 set thread context of 7124	3764	spoolsv.exe	diskperf.exe
PID 3720 set thread context of 7156	3720	spoolsv.exe	spoolsv.exe
PID 3720 set thread context of 2276	3720	spoolsv.exe	diskperf.exe
PID 4064 set thread context of 1316	4064	spoolsv.exe	spoolsv.exe
PID 4064 set thread context of 3692	4064	spoolsv.exe	diskperf.exe
PID 768 set thread context of 3884	768	spoolsv.exe	spoolsv.exe
PID 768 set thread context of 392	768	spoolsv.exe	diskperf.exe
PID 632 set thread context of 6784	632	spoolsv.exe	spoolsv.exe
PID 632 set thread context of 6852	632	spoolsv.exe	diskperf.exe
PID 1096 set thread context of 4028	1096	spoolsv.exe	spoolsv.exe
PID 1096 set thread context of 6660	1096	spoolsv.exe	diskperf.exe
PID 2788 set thread context of 6916	2788	spoolsv.exe	spoolsv.exe
PID 580 set thread context of 6980	580	spoolsv.exe	spoolsv.exe
PID 1656 set thread context of 2872	1656	spoolsv.exe	spoolsv.exe
PID 1656 set thread context of 7012	1656	spoolsv.exe	diskperf.exe
PID 1448 set thread context of 6932	1448	spoolsv.exe	spoolsv.exe
PID 1448 set thread context of 3556	1448	spoolsv.exe	diskperf.exe
PID 3504 set thread context of 744	3504	spoolsv.exe	spoolsv.exe
PID 3504 set thread context of 7060	3504	spoolsv.exe	diskperf.exe
PID 3548 set thread context of 1840	3548	spoolsv.exe	spoolsv.exe
PID 4044 set thread context of 7104	4044	spoolsv.exe	spoolsv.exe
PID 4044 set thread context of 7116	4044	spoolsv.exe	diskperf.exe
PID 3968 set thread context of 2140	3968	spoolsv.exe	spoolsv.exe
PID 3968 set thread context of 7140	3968	spoolsv.exe	diskperf.exe
PID 3380 set thread context of 7160	3380	spoolsv.exe	spoolsv.exe
PID 3380 set thread context of 3648	3380	spoolsv.exe	diskperf.exe
PID 2300 set thread context of 6792	2300	spoolsv.exe	spoolsv.exe
PID 2300 set thread context of 6776	2300	spoolsv.exe	diskperf.exe
PID 1492 set thread context of 6724	1492	spoolsv.exe	spoolsv.exe
PID 3176 set thread context of 496	3176	spoolsv.exe	spoolsv.exe
PID 3176 set thread context of 6988	3176	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exe9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exeexplorer.exe

pid	process
2688	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
2688	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2232 explorer.exe

pid	process
2232	explorer.exe

Suspicious use of SetWindowsHookEx 54 IoCs

Processes:

pid	process
2688	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
2688	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
2232	explorer.exe
6656	spoolsv.exe
6656	spoolsv.exe
6760	spoolsv.exe
6760	spoolsv.exe
6816	spoolsv.exe
6816	spoolsv.exe
6920	spoolsv.exe
6908	spoolsv.exe
6920	spoolsv.exe
6908	spoolsv.exe
7032	spoolsv.exe
7032	spoolsv.exe
7088	spoolsv.exe
7088	spoolsv.exe
7156	spoolsv.exe
7156	spoolsv.exe
1316	spoolsv.exe
1316	spoolsv.exe
3884	spoolsv.exe
3884	spoolsv.exe
6784	spoolsv.exe
6784	spoolsv.exe
4028	spoolsv.exe
4028	spoolsv.exe
6916	spoolsv.exe
6916	spoolsv.exe
6980	spoolsv.exe
6980	spoolsv.exe
2872	spoolsv.exe
2872	spoolsv.exe
6932	spoolsv.exe
6932	spoolsv.exe
744	spoolsv.exe
744	spoolsv.exe
1840	spoolsv.exe
1840	spoolsv.exe
7104	spoolsv.exe
7104	spoolsv.exe
2140	spoolsv.exe
2140	spoolsv.exe
7160	spoolsv.exe
7160	spoolsv.exe
6792	spoolsv.exe
6792	spoolsv.exe
6724	spoolsv.exe
6724	spoolsv.exe
496	spoolsv.exe
496	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 804 wrote to memory of 2688	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 804 wrote to memory of 2688	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 804 wrote to memory of 2688	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 804 wrote to memory of 2688	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 804 wrote to memory of 2688	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 804 wrote to memory of 2688	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 804 wrote to memory of 2688	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 804 wrote to memory of 2688	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
PID 804 wrote to memory of 3020	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	diskperf.exe
PID 804 wrote to memory of 3020	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	diskperf.exe
PID 804 wrote to memory of 3020	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	diskperf.exe
PID 804 wrote to memory of 3020	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	diskperf.exe
PID 804 wrote to memory of 3020	804	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	diskperf.exe
PID 2688 wrote to memory of 2816	2688	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	explorer.exe
PID 2688 wrote to memory of 2816	2688	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	explorer.exe
PID 2688 wrote to memory of 2816	2688	9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe	explorer.exe
PID 2816 wrote to memory of 2232	2816	explorer.exe	explorer.exe
PID 2816 wrote to memory of 2232	2816	explorer.exe	explorer.exe
PID 2816 wrote to memory of 2232	2816	explorer.exe	explorer.exe
PID 2816 wrote to memory of 2232	2816	explorer.exe	explorer.exe
PID 2816 wrote to memory of 2232	2816	explorer.exe	explorer.exe
PID 2816 wrote to memory of 2232	2816	explorer.exe	explorer.exe
PID 2816 wrote to memory of 2232	2816	explorer.exe	explorer.exe
PID 2816 wrote to memory of 2232	2816	explorer.exe	explorer.exe
PID 2816 wrote to memory of 1308	2816	explorer.exe	diskperf.exe
PID 2816 wrote to memory of 1308	2816	explorer.exe	diskperf.exe
PID 2816 wrote to memory of 1308	2816	explorer.exe	diskperf.exe
PID 2232 wrote to memory of 1012	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 1012	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 1012	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3868	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3868	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3868	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3844	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3844	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3844	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 4000	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 4000	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 4000	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3160	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3160	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3160	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3156	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3156	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3156	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3764	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3764	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3764	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3720	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3720	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 3720	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 4064	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 4064	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 4064	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 768	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 768	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 768	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 632	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 632	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 632	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 1096	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 1096	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 1096	2232	explorer.exe	spoolsv.exe
PID 2232 wrote to memory of 2788	2232	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
"C:\Users\Admin\AppData\Local\Temp\9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe
  "C:\Users\Admin\AppData\Local\Temp\9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2688
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1012
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:6656
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6824
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3868
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6760
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3844
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6816
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4000
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6908
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3160
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6920
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3156
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7032
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7108
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3764
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7088
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3720
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7156
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4064
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1316
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:768
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3884
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:632
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6784
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1096
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4028
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6672
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2788
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6916
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6976
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:580
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6980
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1656
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2872
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6924
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1448
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6932
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3504
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2072
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3548
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1840
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4044
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7104
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3140
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3968
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2140
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3380
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7160
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6668
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2300
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6792
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:368
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1492
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6724
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3976
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3176
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:496
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6992
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1452
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1444
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2608
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2592
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3800
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3772
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2164
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3700
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4032
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7152
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2244
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3148
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4360
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4380
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3124
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4420
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4436
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1616
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4448
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4024
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2836
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4492
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1640
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3960
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2148
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7004
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:200
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2596
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7164
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2960
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7036
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4620
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3652
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4648
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2508
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3592
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3180
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2576
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6772
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4420
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1168
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4776
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4076
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2256
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2192
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4828
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:860
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1084
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2148
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2976
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4892
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4928
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6836
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:1308
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:3020

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:4696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
fd27da880372209151379289b0e57d11

SHA1
9d9236804d7a0574ebff234bec1bea519497c27f

SHA256
9a825ee20f777192913e6c02d8038cdb34907bbcfdec074f664516668f7d1339

SHA512
d69b43d30cefdf0255c96763f1e53469ff3c0b1dada711b606959616e7af0608fd4cdc6e4b86b2cf174fb856e6ab01f089d6bf295217f6966c8b2576b34c338d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
6580c7b0cc4524981467c2b2aeb77b45

SHA1
c073abc866884297d6b4a805f1dbe7c77164e743

SHA256
fdb17a6f6c9329c103da3b1ae1b9264634f990db231a9cfec1644df8f2c31465

SHA512
0e9d4130b6dcfd3f873bfdc5a66e05f4ccfceb2bca95157dbc1bff2e15a33318266f08c9de5e0fc7945e49d9c11164f768f9bf10779a72513fc205f6df353e61

Download Submit
C:\Windows\System\explorer.exe

MD5
6580c7b0cc4524981467c2b2aeb77b45

SHA1
c073abc866884297d6b4a805f1dbe7c77164e743

SHA256
fdb17a6f6c9329c103da3b1ae1b9264634f990db231a9cfec1644df8f2c31465

SHA512
0e9d4130b6dcfd3f873bfdc5a66e05f4ccfceb2bca95157dbc1bff2e15a33318266f08c9de5e0fc7945e49d9c11164f768f9bf10779a72513fc205f6df353e61

Download Submit
C:\Windows\System\explorer.exe

MD5
6580c7b0cc4524981467c2b2aeb77b45

SHA1
c073abc866884297d6b4a805f1dbe7c77164e743

SHA256
fdb17a6f6c9329c103da3b1ae1b9264634f990db231a9cfec1644df8f2c31465

SHA512
0e9d4130b6dcfd3f873bfdc5a66e05f4ccfceb2bca95157dbc1bff2e15a33318266f08c9de5e0fc7945e49d9c11164f768f9bf10779a72513fc205f6df353e61

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
\??\c:\windows\system\explorer.exe

MD5
6580c7b0cc4524981467c2b2aeb77b45

SHA1
c073abc866884297d6b4a805f1dbe7c77164e743

SHA256
fdb17a6f6c9329c103da3b1ae1b9264634f990db231a9cfec1644df8f2c31465

SHA512
0e9d4130b6dcfd3f873bfdc5a66e05f4ccfceb2bca95157dbc1bff2e15a33318266f08c9de5e0fc7945e49d9c11164f768f9bf10779a72513fc205f6df353e61

Download Submit
\??\c:\windows\system\spoolsv.exe

MD5
5e5da8eb41820f1e0bec96b907a55a3c

SHA1
e14486ce6bf985ddf9581e13bfef656aa60afc44

SHA256
c0ac83685a6eca4e9571d611d76012b6b590b57a46052f5e4ea546d5abd3f1c0

SHA512
4d710f607746bfa1f0b1f70ead90129dfce0fb5607d1f76e9ddac9232fa44b9b98cd8d774503825c137858be835a3a16e8f159c2525ec3dbb9205bdcc4c7c1b8

Download Submit
memory/200-245-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/200-239-0x0000000000000000-mapping.dmp

Download
memory/580-180-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/580-177-0x0000000000000000-mapping.dmp

Download
memory/632-172-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/632-168-0x0000000000000000-mapping.dmp

Download
memory/768-166-0x0000000000000000-mapping.dmp

Download
memory/768-171-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/804-114-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/860-264-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/860-259-0x0000000000000000-mapping.dmp

Download
memory/968-275-0x0000000000000000-mapping.dmp

Download
memory/968-281-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1000-284-0x0000000000000000-mapping.dmp

Download
memory/1004-266-0x0000000000000000-mapping.dmp

Download
memory/1004-272-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1012-142-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1012-139-0x0000000000000000-mapping.dmp

Download
memory/1040-277-0x0000000000000000-mapping.dmp

Download
memory/1040-282-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1096-179-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/1096-173-0x0000000000000000-mapping.dmp

Download
memory/1168-256-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1168-252-0x0000000000000000-mapping.dmp

Download
memory/1448-184-0x0000000000000000-mapping.dmp

Download
memory/1448-191-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1452-212-0x0000000000000000-mapping.dmp

Download
memory/1452-218-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1492-211-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1492-205-0x0000000000000000-mapping.dmp

Download
memory/1540-283-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/1540-279-0x0000000000000000-mapping.dmp

Download
memory/1616-228-0x0000000000000000-mapping.dmp

Download
memory/1616-236-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/1656-190-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1656-182-0x0000000000000000-mapping.dmp

Download
memory/2164-216-0x0000000000000000-mapping.dmp

Download
memory/2164-220-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2232-131-0x0000000000403670-mapping.dmp

Download
memory/2256-263-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2256-257-0x0000000000000000-mapping.dmp

Download
memory/2300-209-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/2300-203-0x0000000000000000-mapping.dmp

Download
memory/2576-255-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2576-250-0x0000000000000000-mapping.dmp

Download
memory/2592-219-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2592-214-0x0000000000000000-mapping.dmp

Download
memory/2688-116-0x0000000000403670-mapping.dmp

Download
memory/2688-274-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2688-270-0x0000000000000000-mapping.dmp

Download
memory/2688-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2688-122-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2788-181-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2788-175-0x0000000000000000-mapping.dmp

Download
memory/2816-129-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2816-126-0x0000000000000000-mapping.dmp

Download
memory/2836-237-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2836-232-0x0000000000000000-mapping.dmp

Download
memory/2904-268-0x0000000000000000-mapping.dmp

Download
memory/2904-273-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2960-241-0x0000000000000000-mapping.dmp

Download
memory/2960-246-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2976-261-0x0000000000000000-mapping.dmp

Download
memory/2976-265-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/3020-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3020-123-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3020-118-0x0000000000411000-mapping.dmp

Download
memory/3124-225-0x0000000000000000-mapping.dmp

Download
memory/3124-230-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/3148-229-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3148-223-0x0000000000000000-mapping.dmp

Download
memory/3156-155-0x0000000000000000-mapping.dmp

Download
memory/3156-161-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3160-153-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3160-149-0x0000000000000000-mapping.dmp

Download
memory/3176-210-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/3176-207-0x0000000000000000-mapping.dmp

Download
memory/3380-201-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3380-198-0x0000000000000000-mapping.dmp

Download
memory/3504-192-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3504-186-0x0000000000000000-mapping.dmp

Download
memory/3548-188-0x0000000000000000-mapping.dmp

Download
memory/3548-193-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/3592-248-0x0000000000000000-mapping.dmp

Download
memory/3592-254-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3652-243-0x0000000000000000-mapping.dmp

Download
memory/3652-247-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3720-162-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3720-159-0x0000000000000000-mapping.dmp

Download
memory/3764-157-0x0000000000000000-mapping.dmp

Download
memory/3844-152-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3844-145-0x0000000000000000-mapping.dmp

Download
memory/3856-291-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/3856-286-0x0000000000000000-mapping.dmp

Download
memory/3868-151-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3868-143-0x0000000000000000-mapping.dmp

Download
memory/3960-234-0x0000000000000000-mapping.dmp

Download
memory/3960-238-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3968-202-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/3968-196-0x0000000000000000-mapping.dmp

Download
memory/4000-147-0x0000000000000000-mapping.dmp

Download
memory/4000-154-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4032-221-0x0000000000000000-mapping.dmp

Download
memory/4032-227-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4044-200-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4044-194-0x0000000000000000-mapping.dmp

Download
memory/4064-164-0x0000000000000000-mapping.dmp

Download
memory/4064-170-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4116-292-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4116-288-0x0000000000000000-mapping.dmp

Download
memory/4152-293-0x0000000000000000-mapping.dmp

Download
memory/4152-301-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4176-303-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4176-295-0x0000000000000000-mapping.dmp

Download
memory/4200-297-0x0000000000000000-mapping.dmp

Download
memory/4200-304-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4224-299-0x0000000000000000-mapping.dmp

Download
memory/4264-305-0x0000000000000000-mapping.dmp

Download
memory/4264-311-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4288-307-0x0000000000000000-mapping.dmp

Download
memory/4288-312-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/4312-309-0x0000000000000000-mapping.dmp

Download
memory/4312-313-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4348-314-0x0000000000000000-mapping.dmp

Download
memory/4348-316-0x00000000005A0000-0x000000000064E000-memory.dmp

Filesize
696KB

Download
memory/4368-315-0x0000000000000000-mapping.dmp

Download