warzonerat | c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d

Analysis

max time kernel
150s
max time network
113s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
Size

1.8MB
MD5

fd88e732993de57ca0bfd7d092c26131
SHA1

b3ad7ac5a3531a84654b1ac2364c12242de08f66
SHA256

c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d
SHA512

5d45fd176f8e5e57e7077919afb14b47f8a3818377b47a21ce11f5ac5a74df46d6ead66e7acdfdeb04aeb3c1c667b196f6cc6378db21a3a82c80d471f472b148

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
876	explorer.exe
572	explorer.exe
1540	spoolsv.exe
1460	spoolsv.exe
1468	spoolsv.exe
2036	spoolsv.exe
1584	spoolsv.exe
1776	spoolsv.exe
1512	spoolsv.exe
2028	spoolsv.exe
1344	spoolsv.exe
940	spoolsv.exe
336	spoolsv.exe
316	spoolsv.exe
432	spoolsv.exe
1756	spoolsv.exe
1548	spoolsv.exe
1988	spoolsv.exe
620	spoolsv.exe
1764	spoolsv.exe
560	spoolsv.exe
660	spoolsv.exe
856	spoolsv.exe
1352	spoolsv.exe
1300	spoolsv.exe
1576	spoolsv.exe
532	spoolsv.exe
1316	spoolsv.exe
1572	spoolsv.exe
956	spoolsv.exe
944	spoolsv.exe
276	spoolsv.exe
1580	spoolsv.exe
1392	spoolsv.exe
376	spoolsv.exe
1536	spoolsv.exe
648	spoolsv.exe
1164	spoolsv.exe
1196	spoolsv.exe
1780	spoolsv.exe
2040	spoolsv.exe
812	spoolsv.exe
1848	spoolsv.exe
1668	spoolsv.exe
1860	spoolsv.exe
1596	spoolsv.exe
1220	spoolsv.exe
1640	spoolsv.exe
968	spoolsv.exe
1520	spoolsv.exe
1524	spoolsv.exe
1384	spoolsv.exe
1100	spoolsv.exe
984	spoolsv.exe
1964	spoolsv.exe
1364	spoolsv.exe
1092	spoolsv.exe
912	spoolsv.exe
1604	spoolsv.exe
1864	spoolsv.exe
1400	spoolsv.exe
1920	spoolsv.exe
612	spoolsv.exe
1924	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exeexplorer.exe

pid	process
1528	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
1528	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe

Adds Run key to start application 2 TTPs 39 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exec97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 788 set thread context of 1528	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 788 set thread context of 1168	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	diskperf.exe
PID 876 set thread context of 572	876	explorer.exe	explorer.exe
PID 876 set thread context of 1192	876	explorer.exe	diskperf.exe
PID 1540 set thread context of 1424	1540	spoolsv.exe	spoolsv.exe
PID 1540 set thread context of 1504	1540	spoolsv.exe	diskperf.exe
PID 1460 set thread context of 3104	1460	spoolsv.exe	spoolsv.exe
PID 1460 set thread context of 3112	1460	spoolsv.exe	diskperf.exe
PID 1468 set thread context of 3140	1468	spoolsv.exe	spoolsv.exe
PID 1468 set thread context of 3148	1468	spoolsv.exe	diskperf.exe
PID 2036 set thread context of 3176	2036	spoolsv.exe	spoolsv.exe
PID 2036 set thread context of 3184	2036	spoolsv.exe	diskperf.exe
PID 1584 set thread context of 3212	1584	spoolsv.exe	spoolsv.exe
PID 1584 set thread context of 3220	1584	spoolsv.exe	diskperf.exe
PID 1776 set thread context of 3248	1776	spoolsv.exe	spoolsv.exe
PID 1776 set thread context of 3256	1776	spoolsv.exe	diskperf.exe
PID 1512 set thread context of 3288	1512	spoolsv.exe	spoolsv.exe
PID 1512 set thread context of 3296	1512	spoolsv.exe	diskperf.exe
PID 2028 set thread context of 3324	2028	spoolsv.exe	spoolsv.exe
PID 2028 set thread context of 3332	2028	spoolsv.exe	diskperf.exe
PID 1344 set thread context of 3360	1344	spoolsv.exe	spoolsv.exe
PID 1344 set thread context of 3368	1344	spoolsv.exe	diskperf.exe
PID 940 set thread context of 3396	940	spoolsv.exe	spoolsv.exe
PID 940 set thread context of 3404	940	spoolsv.exe	diskperf.exe
PID 336 set thread context of 3432	336	spoolsv.exe	spoolsv.exe
PID 336 set thread context of 3440	336	spoolsv.exe	diskperf.exe
PID 316 set thread context of 3468	316	spoolsv.exe	spoolsv.exe
PID 316 set thread context of 3488	316	spoolsv.exe	diskperf.exe
PID 1756 set thread context of 3496	1756	spoolsv.exe	spoolsv.exe
PID 1756 set thread context of 3504	1756	spoolsv.exe	diskperf.exe
PID 432 set thread context of 3524	432	spoolsv.exe	spoolsv.exe
PID 432 set thread context of 3536	432	spoolsv.exe	diskperf.exe
PID 1548 set thread context of 3544	1548	spoolsv.exe	spoolsv.exe
PID 1548 set thread context of 3552	1548	spoolsv.exe	diskperf.exe
PID 1988 set thread context of 3580	1988	spoolsv.exe	spoolsv.exe
PID 1988 set thread context of 3600	1988	spoolsv.exe	diskperf.exe
PID 620 set thread context of 3612	620	spoolsv.exe	spoolsv.exe
PID 620 set thread context of 3620	620	spoolsv.exe	diskperf.exe
PID 1764 set thread context of 3628	1764	spoolsv.exe	spoolsv.exe
PID 1764 set thread context of 3648	1764	spoolsv.exe	diskperf.exe
PID 560 set thread context of 3660	560	spoolsv.exe	spoolsv.exe
PID 560 set thread context of 3668	560	spoolsv.exe	diskperf.exe
PID 660 set thread context of 3692	660	spoolsv.exe	spoolsv.exe
PID 660 set thread context of 3700	660	spoolsv.exe	diskperf.exe
PID 856 set thread context of 3708	856	spoolsv.exe	spoolsv.exe
PID 856 set thread context of 3736	856	spoolsv.exe	diskperf.exe
PID 1352 set thread context of 3728	1352	spoolsv.exe	spoolsv.exe
PID 1352 set thread context of 3744	1352	spoolsv.exe	diskperf.exe
PID 1576 set thread context of 3752	1576	spoolsv.exe	spoolsv.exe
PID 1576 set thread context of 3760	1576	spoolsv.exe	diskperf.exe
PID 1300 set thread context of 3768	1300	spoolsv.exe	spoolsv.exe
PID 532 set thread context of 3796	532	spoolsv.exe	spoolsv.exe
PID 1300 set thread context of 3788	1300	spoolsv.exe	diskperf.exe
PID 532 set thread context of 3808	532	spoolsv.exe	diskperf.exe
PID 1316 set thread context of 3816	1316	spoolsv.exe	spoolsv.exe
PID 1316 set thread context of 3824	1316	spoolsv.exe	diskperf.exe
PID 1572 set thread context of 3832	1572	spoolsv.exe	spoolsv.exe
PID 1572 set thread context of 3844	1572	spoolsv.exe	diskperf.exe
PID 956 set thread context of 3868	956	spoolsv.exe	spoolsv.exe
PID 956 set thread context of 3876	956	spoolsv.exe	diskperf.exe
PID 944 set thread context of 3896	944	spoolsv.exe	spoolsv.exe
PID 944 set thread context of 3904	944	spoolsv.exe	diskperf.exe
PID 276 set thread context of 3924	276	spoolsv.exe	spoolsv.exe
PID 1580 set thread context of 3932	1580	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exec97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exeexplorer.exe

pid	process
1528	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

572 explorer.exe

pid	process
572	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1528	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
1528	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
572	explorer.exe
1424	spoolsv.exe
1424	spoolsv.exe
3104	spoolsv.exe
3104	spoolsv.exe
3140	spoolsv.exe
3140	spoolsv.exe
3176	spoolsv.exe
3176	spoolsv.exe
3212	spoolsv.exe
3212	spoolsv.exe
3248	spoolsv.exe
3248	spoolsv.exe
3288	spoolsv.exe
3288	spoolsv.exe
3324	spoolsv.exe
3324	spoolsv.exe
3360	spoolsv.exe
3360	spoolsv.exe
3396	spoolsv.exe
3396	spoolsv.exe
3432	spoolsv.exe
3432	spoolsv.exe
3468	spoolsv.exe
3468	spoolsv.exe
3496	spoolsv.exe
3496	spoolsv.exe
3524	spoolsv.exe
3524	spoolsv.exe
3544	spoolsv.exe
3544	spoolsv.exe
3580	spoolsv.exe
3580	spoolsv.exe
3612	spoolsv.exe
3612	spoolsv.exe
3628	spoolsv.exe
3628	spoolsv.exe
3660	spoolsv.exe
3660	spoolsv.exe
3692	spoolsv.exe
3692	spoolsv.exe
3708	spoolsv.exe
3728	spoolsv.exe
3728	spoolsv.exe
3708	spoolsv.exe
3752	spoolsv.exe
3752	spoolsv.exe
3796	spoolsv.exe
3796	spoolsv.exe
3768	spoolsv.exe
3816	spoolsv.exe
3816	spoolsv.exe
3768	spoolsv.exe
3832	spoolsv.exe
3832	spoolsv.exe
3868	spoolsv.exe
3868	spoolsv.exe
3896	spoolsv.exe
3896	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exec97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 788 wrote to memory of 1528	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 788 wrote to memory of 1528	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 788 wrote to memory of 1528	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 788 wrote to memory of 1528	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 788 wrote to memory of 1528	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 788 wrote to memory of 1528	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 788 wrote to memory of 1528	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 788 wrote to memory of 1528	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 788 wrote to memory of 1528	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 788 wrote to memory of 1168	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	diskperf.exe
PID 788 wrote to memory of 1168	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	diskperf.exe
PID 788 wrote to memory of 1168	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	diskperf.exe
PID 788 wrote to memory of 1168	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	diskperf.exe
PID 788 wrote to memory of 1168	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	diskperf.exe
PID 788 wrote to memory of 1168	788	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	diskperf.exe
PID 1528 wrote to memory of 876	1528	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	explorer.exe
PID 1528 wrote to memory of 876	1528	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	explorer.exe
PID 1528 wrote to memory of 876	1528	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	explorer.exe
PID 1528 wrote to memory of 876	1528	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	explorer.exe
PID 876 wrote to memory of 572	876	explorer.exe	explorer.exe
PID 876 wrote to memory of 572	876	explorer.exe	explorer.exe
PID 876 wrote to memory of 572	876	explorer.exe	explorer.exe
PID 876 wrote to memory of 572	876	explorer.exe	explorer.exe
PID 876 wrote to memory of 572	876	explorer.exe	explorer.exe
PID 876 wrote to memory of 572	876	explorer.exe	explorer.exe
PID 876 wrote to memory of 572	876	explorer.exe	explorer.exe
PID 876 wrote to memory of 572	876	explorer.exe	explorer.exe
PID 876 wrote to memory of 572	876	explorer.exe	explorer.exe
PID 876 wrote to memory of 1192	876	explorer.exe	diskperf.exe
PID 876 wrote to memory of 1192	876	explorer.exe	diskperf.exe
PID 876 wrote to memory of 1192	876	explorer.exe	diskperf.exe
PID 876 wrote to memory of 1192	876	explorer.exe	diskperf.exe
PID 876 wrote to memory of 1192	876	explorer.exe	diskperf.exe
PID 876 wrote to memory of 1192	876	explorer.exe	diskperf.exe
PID 572 wrote to memory of 1540	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1540	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1540	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1540	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1460	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1460	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1460	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1460	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1468	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1468	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1468	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1468	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 2036	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 2036	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 2036	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 2036	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1584	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1584	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1584	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1584	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1776	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1776	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1776	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1776	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1512	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1512	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1512	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 1512	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 2028	572	explorer.exe	spoolsv.exe
PID 572 wrote to memory of 2028	572	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
"C:\Users\Admin\AppData\Local\Temp\c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:788

C:\Users\Admin\AppData\Local\Temp\c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
"C:\Users\Admin\AppData\Local\Temp\c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:876

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1424

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3096

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3104

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3124

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3140

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3176

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3196

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3212

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3240

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3248

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3272

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3288

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3316

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3324

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3344

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3360

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3380

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3396

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3432

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3452

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3468

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3480

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3524

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3496

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3516

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3544

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3564

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3592

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3612

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3640

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3660

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3684

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3692

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3720

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3708

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3728

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3752

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3780

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3796

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3832

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3868

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3896

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3924

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3952

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3932

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3960

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3988

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4044

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4072

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1196

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3108

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3172

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2040

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3208

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3216

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3232

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3252

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3312

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3352

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3392

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3400

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3464

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3412

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:272

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3472

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3608

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3628

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3636

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3660

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1276

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1096

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1092

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3840

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1368

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3948

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1956

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4088

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4044

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:908

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3156

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1192

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1168

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:1448

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
fd88e732993de57ca0bfd7d092c26131

SHA1
b3ad7ac5a3531a84654b1ac2364c12242de08f66

SHA256
c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d

SHA512
5d45fd176f8e5e57e7077919afb14b47f8a3818377b47a21ce11f5ac5a74df46d6ead66e7acdfdeb04aeb3c1c667b196f6cc6378db21a3a82c80d471f472b148

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
3be0d5b8b4219955b038440325951ccc

SHA1
0954a57ef57c9380f124aed48046edce13e629bb

SHA256
7c416ac34d14bf4b547d2ae0a195e46a900c8ed67c59308d39498bb7ec226626

SHA512
05ccff9d7441a49208a074031038dd5f9963aae9c62ec322c23d299044e672d9090e7b149b206f482f671b775d71d8eaffdbd5834e1ad4dcb327be31c86a4595

Download Submit
C:\Windows\system\explorer.exe
MD5
3be0d5b8b4219955b038440325951ccc

SHA1
0954a57ef57c9380f124aed48046edce13e629bb

SHA256
7c416ac34d14bf4b547d2ae0a195e46a900c8ed67c59308d39498bb7ec226626

SHA512
05ccff9d7441a49208a074031038dd5f9963aae9c62ec322c23d299044e672d9090e7b149b206f482f671b775d71d8eaffdbd5834e1ad4dcb327be31c86a4595

Download Submit
C:\Windows\system\explorer.exe
MD5
3be0d5b8b4219955b038440325951ccc

SHA1
0954a57ef57c9380f124aed48046edce13e629bb

SHA256
7c416ac34d14bf4b547d2ae0a195e46a900c8ed67c59308d39498bb7ec226626

SHA512
05ccff9d7441a49208a074031038dd5f9963aae9c62ec322c23d299044e672d9090e7b149b206f482f671b775d71d8eaffdbd5834e1ad4dcb327be31c86a4595

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
C:\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\??\c:\windows\system\explorer.exe
MD5
3be0d5b8b4219955b038440325951ccc

SHA1
0954a57ef57c9380f124aed48046edce13e629bb

SHA256
7c416ac34d14bf4b547d2ae0a195e46a900c8ed67c59308d39498bb7ec226626

SHA512
05ccff9d7441a49208a074031038dd5f9963aae9c62ec322c23d299044e672d9090e7b149b206f482f671b775d71d8eaffdbd5834e1ad4dcb327be31c86a4595

Download Submit
\Windows\system\explorer.exe
MD5
3be0d5b8b4219955b038440325951ccc

SHA1
0954a57ef57c9380f124aed48046edce13e629bb

SHA256
7c416ac34d14bf4b547d2ae0a195e46a900c8ed67c59308d39498bb7ec226626

SHA512
05ccff9d7441a49208a074031038dd5f9963aae9c62ec322c23d299044e672d9090e7b149b206f482f671b775d71d8eaffdbd5834e1ad4dcb327be31c86a4595

Download Submit
\Windows\system\explorer.exe
MD5
3be0d5b8b4219955b038440325951ccc

SHA1
0954a57ef57c9380f124aed48046edce13e629bb

SHA256
7c416ac34d14bf4b547d2ae0a195e46a900c8ed67c59308d39498bb7ec226626

SHA512
05ccff9d7441a49208a074031038dd5f9963aae9c62ec322c23d299044e672d9090e7b149b206f482f671b775d71d8eaffdbd5834e1ad4dcb327be31c86a4595

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
\Windows\system\spoolsv.exe
MD5
85db045ccfd6b98cd10ac9a93bd6249b

SHA1
7c8eb9f39030fd42bd9c84820d5cbd7500ef85a9

SHA256
3da399ecede0fd6df1a3be4ff66b448dd74e9ebca61ab2d37e4b4127f5a43c98

SHA512
0c8155df9289f193b7ccc3c645b0905692fea274a1e8db9de6358fafaea1643a8966be1693f6a043fdf3350eaea7f609eeb60ae03359844604c2005139223112

Download Submit
memory/276-237-0x0000000000000000-mapping.dmp

Download
memory/276-250-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/316-168-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/316-161-0x0000000000000000-mapping.dmp

Download
memory/336-154-0x0000000000000000-mapping.dmp

Download
memory/336-158-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/376-243-0x0000000000000000-mapping.dmp

Download
memory/432-166-0x0000000000000000-mapping.dmp

Download
memory/532-232-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/532-220-0x0000000000000000-mapping.dmp

Download
memory/560-202-0x0000000000000000-mapping.dmp

Download
memory/572-80-0x0000000000403670-mapping.dmp

Download
memory/620-191-0x0000000000000000-mapping.dmp

Download
memory/620-199-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/648-247-0x0000000000000000-mapping.dmp

Download
memory/648-257-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/660-206-0x0000000000000000-mapping.dmp

Download
memory/788-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/788-59-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/812-264-0x0000000000000000-mapping.dmp

Download
memory/856-208-0x0000000000000000-mapping.dmp

Download
memory/876-72-0x0000000000000000-mapping.dmp

Download
memory/876-77-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/912-304-0x0000000000000000-mapping.dmp

Download
memory/940-157-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/940-149-0x0000000000000000-mapping.dmp

Download
memory/944-236-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/944-228-0x0000000000000000-mapping.dmp

Download
memory/956-235-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/956-226-0x0000000000000000-mapping.dmp

Download
memory/968-285-0x0000000000000000-mapping.dmp

Download
memory/984-305-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/984-298-0x0000000000000000-mapping.dmp

Download
memory/1092-301-0x0000000000000000-mapping.dmp

Download
memory/1092-309-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1100-297-0x0000000000000000-mapping.dmp

Download
memory/1100-303-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1164-249-0x0000000000000000-mapping.dmp

Download
memory/1168-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1168-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1168-66-0x0000000000411000-mapping.dmp

Download
memory/1192-85-0x0000000000411000-mapping.dmp

Download
memory/1196-258-0x0000000000000000-mapping.dmp

Download
memory/1196-270-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1220-281-0x0000000000000000-mapping.dmp

Download
memory/1300-216-0x0000000000000000-mapping.dmp

Download
memory/1316-222-0x0000000000000000-mapping.dmp

Download
memory/1344-142-0x0000000000000000-mapping.dmp

Download
memory/1344-146-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1352-210-0x0000000000000000-mapping.dmp

Download
memory/1352-215-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1364-300-0x0000000000000000-mapping.dmp

Download
memory/1384-296-0x0000000000000000-mapping.dmp

Download
memory/1384-302-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1392-253-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1392-241-0x0000000000000000-mapping.dmp

Download
memory/1400-312-0x0000000000000000-mapping.dmp

Download
memory/1460-110-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1460-101-0x0000000000000000-mapping.dmp

Download
memory/1468-106-0x0000000000000000-mapping.dmp

Download
memory/1468-113-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1512-134-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1512-130-0x0000000000000000-mapping.dmp

Download
memory/1520-294-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1520-287-0x0000000000000000-mapping.dmp

Download
memory/1524-295-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1524-289-0x0000000000000000-mapping.dmp

Download
memory/1528-62-0x0000000000403670-mapping.dmp

Download
memory/1528-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1536-245-0x0000000000000000-mapping.dmp

Download
memory/1536-256-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1540-95-0x0000000000000000-mapping.dmp

Download
memory/1540-98-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1548-182-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1548-177-0x0000000000000000-mapping.dmp

Download
memory/1572-224-0x0000000000000000-mapping.dmp

Download
memory/1576-231-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1576-218-0x0000000000000000-mapping.dmp

Download
memory/1580-252-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1580-239-0x0000000000000000-mapping.dmp

Download
memory/1584-118-0x0000000000000000-mapping.dmp

Download
memory/1596-290-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1596-279-0x0000000000000000-mapping.dmp

Download
memory/1604-310-0x0000000000000000-mapping.dmp

Download
memory/1604-313-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1640-283-0x0000000000000000-mapping.dmp

Download
memory/1640-292-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1668-277-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1668-268-0x0000000000000000-mapping.dmp

Download
memory/1756-181-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1756-172-0x0000000000000000-mapping.dmp

Download
memory/1764-196-0x0000000000000000-mapping.dmp

Download
memory/1776-125-0x0000000000000000-mapping.dmp

Download
memory/1776-133-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1780-260-0x0000000000000000-mapping.dmp

Download
memory/1848-266-0x0000000000000000-mapping.dmp

Download
memory/1848-276-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1860-271-0x0000000000000000-mapping.dmp

Download
memory/1864-314-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1864-311-0x0000000000000000-mapping.dmp

Download
memory/1964-299-0x0000000000000000-mapping.dmp

Download
memory/1964-306-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1988-185-0x0000000000000000-mapping.dmp

Download
memory/1988-189-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2028-137-0x0000000000000000-mapping.dmp

Download
memory/2028-145-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2036-112-0x0000000000000000-mapping.dmp

Download
memory/2036-121-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2040-273-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2040-262-0x0000000000000000-mapping.dmp

Download