warzonerat | 926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea

Analysis

max time kernel
146s
max time network
114s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc4a2d6d_by_Libranalysis.exe
Size

1.8MB
MD5

bc4a2d6d59a0aee1a434e93f5d59019a
SHA1

2403a1c0017b46d2357f3730b9d5c16fa7284a28
SHA256

926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea
SHA512

5b808a743ed3663656417dc23b9614dc89ab25c5814040f76afa356659ce3614431a2580963e977c9169d262ba80a4238d70ab53b7317f1b6003fd5111e8ba47

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3956	explorer.exe
3108	explorer.exe
3404	spoolsv.exe
3828	spoolsv.exe
1524	spoolsv.exe
3692	spoolsv.exe
4064	spoolsv.exe
800	spoolsv.exe
568	spoolsv.exe
2276	spoolsv.exe
2200	spoolsv.exe
2248	spoolsv.exe
1824	spoolsv.exe
2144	spoolsv.exe
2120	spoolsv.exe
2072	spoolsv.exe
204	spoolsv.exe
2332	spoolsv.exe
3884	spoolsv.exe
296	spoolsv.exe
3792	spoolsv.exe
1552	spoolsv.exe
4032	spoolsv.exe
2420	spoolsv.exe
3312	spoolsv.exe
2180	spoolsv.exe
640	spoolsv.exe
2340	spoolsv.exe
4008	spoolsv.exe
2088	spoolsv.exe
3896	spoolsv.exe
1960	spoolsv.exe
3860	spoolsv.exe
2424	spoolsv.exe
1556	spoolsv.exe
2348	spoolsv.exe
736	spoolsv.exe
2892	spoolsv.exe
1788	spoolsv.exe
3952	spoolsv.exe
1796	spoolsv.exe
896	spoolsv.exe
4136	spoolsv.exe
4160	spoolsv.exe
4184	spoolsv.exe
4220	spoolsv.exe
4244	spoolsv.exe
4268	spoolsv.exe
4292	spoolsv.exe
4332	spoolsv.exe
4356	spoolsv.exe
4380	spoolsv.exe
4416	spoolsv.exe
4440	spoolsv.exe
4464	spoolsv.exe
4488	spoolsv.exe
4528	spoolsv.exe
4552	spoolsv.exe
4576	spoolsv.exe
4612	spoolsv.exe
4636	spoolsv.exe
4656	spoolsv.exe
4672	spoolsv.exe
4688	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exebc4a2d6d_by_Libranalysis.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	bc4a2d6d_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

bc4a2d6d_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 4056 set thread context of 732	4056	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 4056 set thread context of 1100	4056	bc4a2d6d_by_Libranalysis.exe	diskperf.exe
PID 3956 set thread context of 3108	3956	explorer.exe	explorer.exe
PID 3956 set thread context of 2412	3956	explorer.exe	diskperf.exe
PID 3404 set thread context of 6716	3404	spoolsv.exe	spoolsv.exe
PID 3404 set thread context of 6732	3404	spoolsv.exe	diskperf.exe
PID 3828 set thread context of 6832	3828	spoolsv.exe	spoolsv.exe
PID 3828 set thread context of 6848	3828	spoolsv.exe	diskperf.exe
PID 1524 set thread context of 6868	1524	spoolsv.exe	spoolsv.exe
PID 4064 set thread context of 6932	4064	spoolsv.exe	spoolsv.exe
PID 3692 set thread context of 6944	3692	spoolsv.exe	spoolsv.exe
PID 800 set thread context of 7012	800	spoolsv.exe	spoolsv.exe
PID 800 set thread context of 7028	800	spoolsv.exe	diskperf.exe
PID 568 set thread context of 7040	568	spoolsv.exe	spoolsv.exe
PID 568 set thread context of 7072	568	spoolsv.exe	diskperf.exe
PID 2276 set thread context of 7100	2276	spoolsv.exe	spoolsv.exe
PID 2276 set thread context of 7164	2276	spoolsv.exe	diskperf.exe
PID 2200 set thread context of 2780	2200	spoolsv.exe	spoolsv.exe
PID 2200 set thread context of 6780	2200	spoolsv.exe	diskperf.exe
PID 2248 set thread context of 4236	2248	spoolsv.exe	spoolsv.exe
PID 2248 set thread context of 6788	2248	spoolsv.exe	diskperf.exe
PID 1824 set thread context of 6864	1824	spoolsv.exe	spoolsv.exe
PID 2144 set thread context of 6892	2144	spoolsv.exe	spoolsv.exe
PID 2120 set thread context of 6912	2120	spoolsv.exe	spoolsv.exe
PID 2144 set thread context of 6916	2144	spoolsv.exe	diskperf.exe
PID 2120 set thread context of 6844	2120	spoolsv.exe	diskperf.exe
PID 2072 set thread context of 1180	2072	spoolsv.exe	spoolsv.exe
PID 204 set thread context of 6976	204	spoolsv.exe	spoolsv.exe
PID 204 set thread context of 7056	204	spoolsv.exe	diskperf.exe
PID 2332 set thread context of 7096	2332	spoolsv.exe	spoolsv.exe
PID 2332 set thread context of 612	2332	spoolsv.exe	diskperf.exe
PID 3884 set thread context of 7160	3884	spoolsv.exe	spoolsv.exe
PID 3884 set thread context of 1692	3884	spoolsv.exe	diskperf.exe
PID 296 set thread context of 6744	296	spoolsv.exe	spoolsv.exe
PID 296 set thread context of 4484	296	spoolsv.exe	diskperf.exe
PID 3792 set thread context of 2844	3792	spoolsv.exe	spoolsv.exe
PID 1552 set thread context of 3808	1552	spoolsv.exe	svchost.exe
PID 4032 set thread context of 6956	4032	spoolsv.exe	spoolsv.exe
PID 2420 set thread context of 7000	2420	spoolsv.exe	spoolsv.exe
PID 2420 set thread context of 4568	2420	spoolsv.exe	diskperf.exe
PID 3312 set thread context of 4628	3312	spoolsv.exe	spoolsv.exe
PID 2180 set thread context of 7156	2180	spoolsv.exe	diskperf.exe
PID 2180 set thread context of 2196	2180	spoolsv.exe	diskperf.exe
PID 640 set thread context of 6720	640	spoolsv.exe	spoolsv.exe
PID 640 set thread context of 4684	640	spoolsv.exe	diskperf.exe
PID 2340 set thread context of 2428	2340	spoolsv.exe	spoolsv.exe
PID 2340 set thread context of 2140	2340	spoolsv.exe	diskperf.exe
PID 4008 set thread context of 4736	4008	spoolsv.exe	svchost.exe
PID 4008 set thread context of 6936	4008	spoolsv.exe	diskperf.exe
PID 2088 set thread context of 6976	2088	spoolsv.exe	svchost.exe
PID 2088 set thread context of 928	2088	spoolsv.exe	diskperf.exe
PID 3896 set thread context of 1680	3896	spoolsv.exe	spoolsv.exe
PID 3896 set thread context of 7096	3896	spoolsv.exe	diskperf.exe
PID 1960 set thread context of 4780	1960	spoolsv.exe	spoolsv.exe
PID 3860 set thread context of 7048	3860	spoolsv.exe	spoolsv.exe
PID 3860 set thread context of 6764	3860	spoolsv.exe	diskperf.exe
PID 2424 set thread context of 6840	2424	spoolsv.exe	spoolsv.exe
PID 2424 set thread context of 7156	2424	spoolsv.exe	diskperf.exe
PID 1556 set thread context of 2216	1556	spoolsv.exe	spoolsv.exe
PID 1556 set thread context of 4892	1556	spoolsv.exe	diskperf.exe
PID 2348 set thread context of 1868	2348	spoolsv.exe	spoolsv.exe
PID 2348 set thread context of 2668	2348	spoolsv.exe	diskperf.exe
PID 736 set thread context of 4964	736	spoolsv.exe	spoolsv.exe
PID 2892 set thread context of 3880	2892	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

bc4a2d6d_by_Libranalysis.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	bc4a2d6d_by_Libranalysis.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bc4a2d6d_by_Libranalysis.exeexplorer.exe

pid	process
732	bc4a2d6d_by_Libranalysis.exe
732	bc4a2d6d_by_Libranalysis.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3108 explorer.exe

pid	process
3108	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

bc4a2d6d_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exespoolsv.exespoolsv.exediskperf.exespoolsv.exespoolsv.exesvchost.exesvchost.exespoolsv.exe

pid	process
732	bc4a2d6d_by_Libranalysis.exe
732	bc4a2d6d_by_Libranalysis.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
6716	spoolsv.exe
6716	spoolsv.exe
6832	spoolsv.exe
6868	spoolsv.exe
6832	spoolsv.exe
6868	spoolsv.exe
6932	spoolsv.exe
6944	spoolsv.exe
6932	spoolsv.exe
6944	spoolsv.exe
7012	spoolsv.exe
7040	spoolsv.exe
7012	spoolsv.exe
7040	spoolsv.exe
7100	spoolsv.exe
7100	spoolsv.exe
2780	spoolsv.exe
2780	spoolsv.exe
4236	spoolsv.exe
4236	spoolsv.exe
6864	spoolsv.exe
6864	spoolsv.exe
6892	spoolsv.exe
6892	spoolsv.exe
6912	spoolsv.exe
6912	spoolsv.exe
1180	spoolsv.exe
1180	spoolsv.exe
6976	spoolsv.exe
6976	spoolsv.exe
7096	spoolsv.exe
7096	spoolsv.exe
7160	spoolsv.exe
7160	spoolsv.exe
6744	spoolsv.exe
6744	spoolsv.exe
2844	spoolsv.exe
2844	spoolsv.exe
3808	svchost.exe
3808	svchost.exe
6956	spoolsv.exe
6956	spoolsv.exe
7000	spoolsv.exe
7000	spoolsv.exe
4628	spoolsv.exe
4628	spoolsv.exe
7156	diskperf.exe
7156	diskperf.exe
6720	spoolsv.exe
6720	spoolsv.exe
2428	spoolsv.exe
2428	spoolsv.exe
4736	svchost.exe
4736	svchost.exe
6976	svchost.exe
6976	svchost.exe
1680	spoolsv.exe
1680	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bc4a2d6d_by_Libranalysis.exebc4a2d6d_by_Libranalysis.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 4056 wrote to memory of 732	4056	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 4056 wrote to memory of 732	4056	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 4056 wrote to memory of 732	4056	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 4056 wrote to memory of 732	4056	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 4056 wrote to memory of 732	4056	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 4056 wrote to memory of 732	4056	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 4056 wrote to memory of 732	4056	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 4056 wrote to memory of 732	4056	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 4056 wrote to memory of 1100	4056	bc4a2d6d_by_Libranalysis.exe	diskperf.exe
PID 4056 wrote to memory of 1100	4056	bc4a2d6d_by_Libranalysis.exe	diskperf.exe
PID 4056 wrote to memory of 1100	4056	bc4a2d6d_by_Libranalysis.exe	diskperf.exe
PID 4056 wrote to memory of 1100	4056	bc4a2d6d_by_Libranalysis.exe	diskperf.exe
PID 4056 wrote to memory of 1100	4056	bc4a2d6d_by_Libranalysis.exe	diskperf.exe
PID 732 wrote to memory of 3956	732	bc4a2d6d_by_Libranalysis.exe	explorer.exe
PID 732 wrote to memory of 3956	732	bc4a2d6d_by_Libranalysis.exe	explorer.exe
PID 732 wrote to memory of 3956	732	bc4a2d6d_by_Libranalysis.exe	explorer.exe
PID 3956 wrote to memory of 3108	3956	explorer.exe	explorer.exe
PID 3956 wrote to memory of 3108	3956	explorer.exe	explorer.exe
PID 3956 wrote to memory of 3108	3956	explorer.exe	explorer.exe
PID 3956 wrote to memory of 3108	3956	explorer.exe	explorer.exe
PID 3956 wrote to memory of 3108	3956	explorer.exe	explorer.exe
PID 3956 wrote to memory of 3108	3956	explorer.exe	explorer.exe
PID 3956 wrote to memory of 3108	3956	explorer.exe	explorer.exe
PID 3956 wrote to memory of 3108	3956	explorer.exe	explorer.exe
PID 3956 wrote to memory of 2412	3956	explorer.exe	diskperf.exe
PID 3956 wrote to memory of 2412	3956	explorer.exe	diskperf.exe
PID 3956 wrote to memory of 2412	3956	explorer.exe	diskperf.exe
PID 3956 wrote to memory of 2412	3956	explorer.exe	diskperf.exe
PID 3956 wrote to memory of 2412	3956	explorer.exe	diskperf.exe
PID 3108 wrote to memory of 3404	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 3404	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 3404	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 3828	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 3828	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 3828	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 1524	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 1524	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 1524	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 3692	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 3692	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 3692	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 4064	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 4064	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 4064	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 800	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 800	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 800	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 568	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 568	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 568	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 2276	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 2276	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 2276	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 2200	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 2200	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 2200	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 2248	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 2248	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 2248	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 1824	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 1824	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 1824	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 2144	3108	explorer.exe	spoolsv.exe
PID 3108 wrote to memory of 2144	3108	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\bc4a2d6d_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\bc4a2d6d_by_Libranalysis.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Admin\AppData\Local\Temp\bc4a2d6d_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\bc4a2d6d_by_Libranalysis.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:732

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3956

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6716

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6808

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6832

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6944

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6932

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7012

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7124

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7040

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2780

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6864

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2144

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6892

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1180

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6952

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7096

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7132

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7160

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7088

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6744

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3248

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2844

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:500

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3808

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3932

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6956

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4352

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7000

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7144

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4628

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7120

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:7156

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4668

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6720

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2428

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
- Suspicious use of SetWindowsHookEx
PID:3808

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4736

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4752

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:6976

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2472

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1680

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2676

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4780

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:7048

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:6840

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2844

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:7156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2216

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2348

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1868

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
- Suspicious use of SetWindowsHookEx
PID:4736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4964

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
- Suspicious use of SetWindowsHookEx
PID:6976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3880

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5008

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4816

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5040

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4832

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:360

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4860

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4104

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4172

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2680

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2192

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4764

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:484

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4340

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4412

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5008

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4828

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1512

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5092

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4120

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4704

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5148

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4204

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4408

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5196

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2068

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4272

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4168

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5260

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5284

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3880

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4360

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4488

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:964

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4116

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4436

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1392

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5264

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:732

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4468

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3672

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4396

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:964

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5536

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5216

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4556

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:2412

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
bc4a2d6d59a0aee1a434e93f5d59019a

SHA1
2403a1c0017b46d2357f3730b9d5c16fa7284a28

SHA256
926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea

SHA512
5b808a743ed3663656417dc23b9614dc89ab25c5814040f76afa356659ce3614431a2580963e977c9169d262ba80a4238d70ab53b7317f1b6003fd5111e8ba47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
f54b4fb7f21202d5e2cf28758084ae1a

SHA1
57ce91d56d4196e3be8d8d0d2bfedbc8f2ad5cfc

SHA256
233f37f5449d6b210c073525fbb0520e029e68df282c9a0a7ce3bf830254ec62

SHA512
64292e9f961d720cef643bf992f53a11e0e9c1de2dbc6ab537b40681316b2e9f1755edfc793eca89f53c010c3f92b71a222dad1e1ba2045f413b4c1465e5b929

Download Submit
C:\Windows\System\explorer.exe
MD5
f54b4fb7f21202d5e2cf28758084ae1a

SHA1
57ce91d56d4196e3be8d8d0d2bfedbc8f2ad5cfc

SHA256
233f37f5449d6b210c073525fbb0520e029e68df282c9a0a7ce3bf830254ec62

SHA512
64292e9f961d720cef643bf992f53a11e0e9c1de2dbc6ab537b40681316b2e9f1755edfc793eca89f53c010c3f92b71a222dad1e1ba2045f413b4c1465e5b929

Download Submit
C:\Windows\System\explorer.exe
MD5
f54b4fb7f21202d5e2cf28758084ae1a

SHA1
57ce91d56d4196e3be8d8d0d2bfedbc8f2ad5cfc

SHA256
233f37f5449d6b210c073525fbb0520e029e68df282c9a0a7ce3bf830254ec62

SHA512
64292e9f961d720cef643bf992f53a11e0e9c1de2dbc6ab537b40681316b2e9f1755edfc793eca89f53c010c3f92b71a222dad1e1ba2045f413b4c1465e5b929

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
\??\c:\windows\system\explorer.exe
MD5
f54b4fb7f21202d5e2cf28758084ae1a

SHA1
57ce91d56d4196e3be8d8d0d2bfedbc8f2ad5cfc

SHA256
233f37f5449d6b210c073525fbb0520e029e68df282c9a0a7ce3bf830254ec62

SHA512
64292e9f961d720cef643bf992f53a11e0e9c1de2dbc6ab537b40681316b2e9f1755edfc793eca89f53c010c3f92b71a222dad1e1ba2045f413b4c1465e5b929

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
96a5bb079909e2f7b553fea775cad2e3

SHA1
bd6025b9247c51bc6251aabae14ef9a282974947

SHA256
9962468f9e6430f4a7287bb295a4fe1e4b07454beabf7c13fd65094126c72b6e

SHA512
054e3b0dd95fbd9e0e9dbdb87def788b7ca752320eb2fe647791ac324355cb4955faf55c6b218809c250c365733614db3cd7926346160ebf9b07c55aaaa9f17d

Download Submit
memory/204-185-0x0000000000000000-mapping.dmp

Download
memory/204-189-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/296-198-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/296-194-0x0000000000000000-mapping.dmp

Download
memory/568-164-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/568-160-0x0000000000000000-mapping.dmp

Download
memory/640-215-0x0000000000000000-mapping.dmp

Download
memory/640-219-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/732-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/732-116-0x0000000000403670-mapping.dmp

Download
memory/732-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/736-246-0x0000000000000000-mapping.dmp

Download
memory/736-252-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/800-158-0x0000000000000000-mapping.dmp

Download
memory/800-165-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/896-264-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/896-259-0x0000000000000000-mapping.dmp

Download
memory/1100-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1100-118-0x0000000000411000-mapping.dmp

Download
memory/1100-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1524-153-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1524-149-0x0000000000000000-mapping.dmp

Download
memory/1552-201-0x0000000000000000-mapping.dmp

Download
memory/1552-209-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1556-240-0x0000000000000000-mapping.dmp

Download
memory/1556-243-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1788-253-0x0000000000000000-mapping.dmp

Download
memory/1788-261-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1796-263-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1796-257-0x0000000000000000-mapping.dmp

Download
memory/1824-172-0x0000000000000000-mapping.dmp

Download
memory/1824-175-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1960-238-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1960-232-0x0000000000000000-mapping.dmp

Download
memory/2072-182-0x0000000000000000-mapping.dmp

Download
memory/2072-187-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/2088-230-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2088-224-0x0000000000000000-mapping.dmp

Download
memory/2120-180-0x0000000000000000-mapping.dmp

Download
memory/2120-186-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2144-178-0x0000000000000000-mapping.dmp

Download
memory/2144-184-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2180-213-0x0000000000000000-mapping.dmp

Download
memory/2200-176-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2200-168-0x0000000000000000-mapping.dmp

Download
memory/2248-177-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2248-170-0x0000000000000000-mapping.dmp

Download
memory/2276-166-0x0000000000000000-mapping.dmp

Download
memory/2276-174-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/2332-190-0x0000000000000000-mapping.dmp

Download
memory/2332-196-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2340-228-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/2340-220-0x0000000000000000-mapping.dmp

Download
memory/2348-244-0x0000000000000000-mapping.dmp

Download
memory/2348-250-0x0000000000950000-0x00000000009DE000-memory.dmp

Filesize
568KB

Download
memory/2412-136-0x0000000000411000-mapping.dmp

Download
memory/2420-205-0x0000000000000000-mapping.dmp

Download
memory/2420-208-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/2424-241-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2424-236-0x0000000000000000-mapping.dmp

Download
memory/2892-251-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2892-248-0x0000000000000000-mapping.dmp

Download
memory/3108-131-0x0000000000403670-mapping.dmp

Download
memory/3312-211-0x0000000000000000-mapping.dmp

Download
memory/3312-217-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/3404-144-0x0000000000000000-mapping.dmp

Download
memory/3404-151-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3692-162-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3692-154-0x0000000000000000-mapping.dmp

Download
memory/3792-199-0x0000000000000000-mapping.dmp

Download
memory/3792-207-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3828-147-0x0000000000000000-mapping.dmp

Download
memory/3828-152-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3860-239-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3860-234-0x0000000000000000-mapping.dmp

Download
memory/3884-192-0x0000000000000000-mapping.dmp

Download
memory/3884-197-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3896-226-0x0000000000000000-mapping.dmp

Download
memory/3896-231-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3952-255-0x0000000000000000-mapping.dmp

Download
memory/3952-262-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3956-124-0x0000000000000000-mapping.dmp

Download
memory/3956-129-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4008-222-0x0000000000000000-mapping.dmp

Download
memory/4008-229-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4032-203-0x0000000000000000-mapping.dmp

Download
memory/4032-210-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4056-114-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4064-156-0x0000000000000000-mapping.dmp

Download
memory/4064-163-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4136-271-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4136-265-0x0000000000000000-mapping.dmp

Download
memory/4160-267-0x0000000000000000-mapping.dmp

Download
memory/4160-272-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4184-269-0x0000000000000000-mapping.dmp

Download
memory/4184-273-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4220-282-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4220-274-0x0000000000000000-mapping.dmp

Download
memory/4244-276-0x0000000000000000-mapping.dmp

Download
memory/4268-278-0x0000000000000000-mapping.dmp

Download
memory/4268-285-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4292-283-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/4292-280-0x0000000000000000-mapping.dmp

Download
memory/4332-286-0x0000000000000000-mapping.dmp

Download
memory/4332-292-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4356-293-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4356-288-0x0000000000000000-mapping.dmp

Download
memory/4380-290-0x0000000000000000-mapping.dmp

Download
memory/4380-294-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4416-303-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4416-295-0x0000000000000000-mapping.dmp

Download
memory/4440-297-0x0000000000000000-mapping.dmp

Download
memory/4440-305-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4464-299-0x0000000000000000-mapping.dmp

Download
memory/4464-306-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4488-304-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/4488-301-0x0000000000000000-mapping.dmp

Download
memory/4528-307-0x0000000000000000-mapping.dmp

Download
memory/4528-313-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/4552-309-0x0000000000000000-mapping.dmp

Download
memory/4552-315-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/4576-311-0x0000000000000000-mapping.dmp

Download
memory/4576-314-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4612-316-0x0000000000000000-mapping.dmp

Download
memory/4612-319-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4636-318-0x0000000000000000-mapping.dmp

Download