warzonerat | c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d

Analysis

max time kernel
148s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
05-05-2021 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
Size

1.8MB
MD5

fd88e732993de57ca0bfd7d092c26131
SHA1

b3ad7ac5a3531a84654b1ac2364c12242de08f66
SHA256

c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d
SHA512

5d45fd176f8e5e57e7077919afb14b47f8a3818377b47a21ce11f5ac5a74df46d6ead66e7acdfdeb04aeb3c1c667b196f6cc6378db21a3a82c80d471f472b148

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3460	explorer.exe
3780	explorer.exe
3452	spoolsv.exe
3996	spoolsv.exe
1824	spoolsv.exe
3664	spoolsv.exe
3188	spoolsv.exe
2280	spoolsv.exe
3492	spoolsv.exe
3480	spoolsv.exe
412	spoolsv.exe
1120	spoolsv.exe
1032	spoolsv.exe
1948	spoolsv.exe
3912	spoolsv.exe
1292	spoolsv.exe
1124	spoolsv.exe
2920	spoolsv.exe
3500	spoolsv.exe
3944	spoolsv.exe
1448	spoolsv.exe
1336	spoolsv.exe
4060	spoolsv.exe
1724	spoolsv.exe
848	spoolsv.exe
1552	spoolsv.exe
2796	spoolsv.exe
2892	spoolsv.exe
1352	spoolsv.exe
1332	spoolsv.exe
1860	spoolsv.exe
2008	spoolsv.exe
3168	spoolsv.exe
692	spoolsv.exe
212	spoolsv.exe
1128	spoolsv.exe
2376	spoolsv.exe
344	spoolsv.exe
1664	spoolsv.exe
1792	spoolsv.exe
2080	spoolsv.exe
2328	spoolsv.exe
2248	spoolsv.exe
3384	spoolsv.exe
1940	spoolsv.exe
3972	spoolsv.exe
2604	spoolsv.exe
2100	spoolsv.exe
4104	spoolsv.exe
4128	spoolsv.exe
4152	spoolsv.exe
4188	spoolsv.exe
4212	spoolsv.exe
4236	spoolsv.exe
4260	spoolsv.exe
4300	spoolsv.exe
4324	spoolsv.exe
4348	spoolsv.exe
4384	spoolsv.exe
4408	spoolsv.exe
4432	spoolsv.exe
4460	spoolsv.exe
4476	spoolsv.exe
4492	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exec97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 644 set thread context of 3672	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 644 set thread context of 3576	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	diskperf.exe
PID 3460 set thread context of 3780	3460	explorer.exe	explorer.exe
PID 3460 set thread context of 1648	3460	explorer.exe	diskperf.exe
PID 3452 set thread context of 6764	3452	spoolsv.exe	spoolsv.exe
PID 3452 set thread context of 6792	3452	spoolsv.exe	diskperf.exe
PID 3996 set thread context of 6856	3996	spoolsv.exe	spoolsv.exe
PID 3996 set thread context of 6880	3996	spoolsv.exe	diskperf.exe
PID 1824 set thread context of 6948	1824	spoolsv.exe	spoolsv.exe
PID 1824 set thread context of 6968	1824	spoolsv.exe	diskperf.exe
PID 3664 set thread context of 7000	3664	spoolsv.exe	spoolsv.exe
PID 3664 set thread context of 7048	3664	spoolsv.exe	diskperf.exe
PID 3188 set thread context of 7072	3188	spoolsv.exe	spoolsv.exe
PID 3188 set thread context of 7104	3188	spoolsv.exe	diskperf.exe
PID 2280 set thread context of 7144	2280	spoolsv.exe	spoolsv.exe
PID 3492 set thread context of 7152	3492	spoolsv.exe	spoolsv.exe
PID 2280 set thread context of 2472	2280	spoolsv.exe	diskperf.exe
PID 3480 set thread context of 6864	3480	spoolsv.exe	spoolsv.exe
PID 412 set thread context of 6936	412	spoolsv.exe	spoolsv.exe
PID 3480 set thread context of 6876	3480	spoolsv.exe	diskperf.exe
PID 1120 set thread context of 6992	1120	spoolsv.exe	spoolsv.exe
PID 1120 set thread context of 6952	1120	spoolsv.exe	diskperf.exe
PID 1032 set thread context of 7084	1032	spoolsv.exe	spoolsv.exe
PID 1032 set thread context of 7040	1032	spoolsv.exe	diskperf.exe
PID 1948 set thread context of 7160	1948	spoolsv.exe	spoolsv.exe
PID 1948 set thread context of 7112	1948	spoolsv.exe	diskperf.exe
PID 3912 set thread context of 6824	3912	spoolsv.exe	spoolsv.exe
PID 3912 set thread context of 604	3912	spoolsv.exe	diskperf.exe
PID 1292 set thread context of 2204	1292	spoolsv.exe	spoolsv.exe
PID 1292 set thread context of 6828	1292	spoolsv.exe	diskperf.exe
PID 1124 set thread context of 6768	1124	spoolsv.exe	spoolsv.exe
PID 1124 set thread context of 2188	1124	spoolsv.exe	diskperf.exe
PID 2920 set thread context of 1512	2920	spoolsv.exe	spoolsv.exe
PID 2920 set thread context of 7064	2920	spoolsv.exe	diskperf.exe
PID 3500 set thread context of 7080	3500	spoolsv.exe	spoolsv.exe
PID 3500 set thread context of 4256	3500	spoolsv.exe	diskperf.exe
PID 3944 set thread context of 6832	3944	spoolsv.exe	spoolsv.exe
PID 3944 set thread context of 2540	3944	spoolsv.exe	diskperf.exe
PID 1448 set thread context of 1172	1448	spoolsv.exe	spoolsv.exe
PID 1448 set thread context of 6900	1448	spoolsv.exe	diskperf.exe
PID 1336 set thread context of 3760	1336	spoolsv.exe	spoolsv.exe
PID 1336 set thread context of 3768	1336	spoolsv.exe	diskperf.exe
PID 4060 set thread context of 7044	4060	spoolsv.exe	spoolsv.exe
PID 4060 set thread context of 3540	4060	spoolsv.exe	diskperf.exe
PID 1724 set thread context of 2284	1724	spoolsv.exe	spoolsv.exe
PID 1724 set thread context of 2344	1724	spoolsv.exe	diskperf.exe
PID 848 set thread context of 4468	848	spoolsv.exe	diskperf.exe
PID 848 set thread context of 664	848	spoolsv.exe	diskperf.exe
PID 1552 set thread context of 3272	1552	spoolsv.exe	spoolsv.exe
PID 1552 set thread context of 4280	1552	spoolsv.exe	diskperf.exe
PID 2796 set thread context of 3464	2796	spoolsv.exe	spoolsv.exe
PID 2892 set thread context of 2644	2892	spoolsv.exe	spoolsv.exe
PID 2892 set thread context of 4584	2892	spoolsv.exe	diskperf.exe
PID 1352 set thread context of 7024	1352	spoolsv.exe	spoolsv.exe
PID 1352 set thread context of 4468	1352	spoolsv.exe	diskperf.exe
PID 1332 set thread context of 3272	1332	spoolsv.exe	spoolsv.exe
PID 1332 set thread context of 4628	1332	spoolsv.exe	diskperf.exe
PID 1860 set thread context of 1472	1860	spoolsv.exe	spoolsv.exe
PID 1860 set thread context of 788	1860	spoolsv.exe	diskperf.exe
PID 2008 set thread context of 4444	2008	spoolsv.exe	spoolsv.exe
PID 2008 set thread context of 4676	2008	spoolsv.exe	diskperf.exe
PID 3168 set thread context of 4728	3168	spoolsv.exe	svchost.exe
PID 692 set thread context of 4760	692	spoolsv.exe	spoolsv.exe
PID 692 set thread context of 4660	692	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exeexplorer.exe

pid	process
3672	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
3672	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3780 explorer.exe

pid	process
3780	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exediskperf.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3672	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
3672	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
3780	explorer.exe
6764	spoolsv.exe
6764	spoolsv.exe
6856	spoolsv.exe
6856	spoolsv.exe
6948	spoolsv.exe
6948	spoolsv.exe
7000	spoolsv.exe
7000	spoolsv.exe
7072	spoolsv.exe
7072	spoolsv.exe
7144	spoolsv.exe
7152	spoolsv.exe
7144	spoolsv.exe
7152	spoolsv.exe
6864	spoolsv.exe
6936	spoolsv.exe
6864	spoolsv.exe
6936	spoolsv.exe
6992	spoolsv.exe
6992	spoolsv.exe
7084	spoolsv.exe
7084	spoolsv.exe
7160	spoolsv.exe
7160	spoolsv.exe
6824	spoolsv.exe
6824	spoolsv.exe
2204	spoolsv.exe
2204	spoolsv.exe
6768	spoolsv.exe
6768	spoolsv.exe
1512	spoolsv.exe
1512	spoolsv.exe
7080	spoolsv.exe
7080	spoolsv.exe
6832	spoolsv.exe
6832	spoolsv.exe
1172	spoolsv.exe
1172	spoolsv.exe
3760	spoolsv.exe
3760	spoolsv.exe
7044	spoolsv.exe
7044	spoolsv.exe
2284	spoolsv.exe
2284	spoolsv.exe
4468	diskperf.exe
4468	diskperf.exe
3272	spoolsv.exe
3272	spoolsv.exe
3464	spoolsv.exe
2644	spoolsv.exe
3464	spoolsv.exe
2644	spoolsv.exe
7024	spoolsv.exe
7024	spoolsv.exe
3272	spoolsv.exe
3272	spoolsv.exe
1472	spoolsv.exe
1472	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exec97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 644 wrote to memory of 3672	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 644 wrote to memory of 3672	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 644 wrote to memory of 3672	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 644 wrote to memory of 3672	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 644 wrote to memory of 3672	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 644 wrote to memory of 3672	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 644 wrote to memory of 3672	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 644 wrote to memory of 3672	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
PID 644 wrote to memory of 3576	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	diskperf.exe
PID 644 wrote to memory of 3576	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	diskperf.exe
PID 644 wrote to memory of 3576	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	diskperf.exe
PID 644 wrote to memory of 3576	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	diskperf.exe
PID 644 wrote to memory of 3576	644	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	diskperf.exe
PID 3672 wrote to memory of 3460	3672	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	explorer.exe
PID 3672 wrote to memory of 3460	3672	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	explorer.exe
PID 3672 wrote to memory of 3460	3672	c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe	explorer.exe
PID 3460 wrote to memory of 3780	3460	explorer.exe	explorer.exe
PID 3460 wrote to memory of 3780	3460	explorer.exe	explorer.exe
PID 3460 wrote to memory of 3780	3460	explorer.exe	explorer.exe
PID 3460 wrote to memory of 3780	3460	explorer.exe	explorer.exe
PID 3460 wrote to memory of 3780	3460	explorer.exe	explorer.exe
PID 3460 wrote to memory of 3780	3460	explorer.exe	explorer.exe
PID 3460 wrote to memory of 3780	3460	explorer.exe	explorer.exe
PID 3460 wrote to memory of 3780	3460	explorer.exe	explorer.exe
PID 3460 wrote to memory of 1648	3460	explorer.exe	diskperf.exe
PID 3460 wrote to memory of 1648	3460	explorer.exe	diskperf.exe
PID 3460 wrote to memory of 1648	3460	explorer.exe	diskperf.exe
PID 3460 wrote to memory of 1648	3460	explorer.exe	diskperf.exe
PID 3460 wrote to memory of 1648	3460	explorer.exe	diskperf.exe
PID 3780 wrote to memory of 3452	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3452	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3452	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3996	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3996	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3996	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 1824	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 1824	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 1824	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3664	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3664	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3664	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3188	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3188	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3188	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 2280	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 2280	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 2280	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3492	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3492	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3492	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3480	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3480	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 3480	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 412	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 412	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 412	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 1120	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 1120	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 1120	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 1032	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 1032	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 1032	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 1948	3780	explorer.exe	spoolsv.exe
PID 3780 wrote to memory of 1948	3780	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
"C:\Users\Admin\AppData\Local\Temp\c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe
"C:\Users\Admin\AppData\Local\Temp\c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3672

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3460

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6764

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6856

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6948

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7072

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7144

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7152

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6864

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6992

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7084

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7116

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7160

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6824

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6908

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2204

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6768

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1512

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1620

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7080

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7124

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6832

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1188

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1172

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1384

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3760

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1636

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7044

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2284

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3584

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4468

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2128

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3272

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:580

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3464

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7024

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4616

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3272

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1472

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4444

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3816

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4728

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3156

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4760

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4776

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2644

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2264

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4696

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4488

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4424

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4876

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3660

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:416

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4796

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4956

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4968

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3272

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5052

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3460

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4984

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3832

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3660

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2232

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4244

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1648

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:3576

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:4728

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
fd88e732993de57ca0bfd7d092c26131

SHA1
b3ad7ac5a3531a84654b1ac2364c12242de08f66

SHA256
c97ae84e271bc4f1ae277c32b97e59160531d601421a110ee31468e451f3fa9d

SHA512
5d45fd176f8e5e57e7077919afb14b47f8a3818377b47a21ce11f5ac5a74df46d6ead66e7acdfdeb04aeb3c1c667b196f6cc6378db21a3a82c80d471f472b148

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
48c6454e112f5db307a94f83d3f945a7

SHA1
7959f8dcd95764e40173c9e89e1a224cec705f95

SHA256
baeb8ad73dadd858c7761c8367c77e183e035f1add42765b392184e5bfb6397c

SHA512
4dc1ca90ad960ff276dcf9889c3fc7d8abd40f161451c19c462077970c2cd7727fbcd8700323f7fafec97815a9daff7b941ddaad695cedfe77c6a4774df82e98

Download Submit
C:\Windows\System\explorer.exe
MD5
48c6454e112f5db307a94f83d3f945a7

SHA1
7959f8dcd95764e40173c9e89e1a224cec705f95

SHA256
baeb8ad73dadd858c7761c8367c77e183e035f1add42765b392184e5bfb6397c

SHA512
4dc1ca90ad960ff276dcf9889c3fc7d8abd40f161451c19c462077970c2cd7727fbcd8700323f7fafec97815a9daff7b941ddaad695cedfe77c6a4774df82e98

Download Submit
C:\Windows\System\explorer.exe
MD5
48c6454e112f5db307a94f83d3f945a7

SHA1
7959f8dcd95764e40173c9e89e1a224cec705f95

SHA256
baeb8ad73dadd858c7761c8367c77e183e035f1add42765b392184e5bfb6397c

SHA512
4dc1ca90ad960ff276dcf9889c3fc7d8abd40f161451c19c462077970c2cd7727fbcd8700323f7fafec97815a9daff7b941ddaad695cedfe77c6a4774df82e98

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
C:\Windows\System\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
\??\c:\windows\system\explorer.exe
MD5
48c6454e112f5db307a94f83d3f945a7

SHA1
7959f8dcd95764e40173c9e89e1a224cec705f95

SHA256
baeb8ad73dadd858c7761c8367c77e183e035f1add42765b392184e5bfb6397c

SHA512
4dc1ca90ad960ff276dcf9889c3fc7d8abd40f161451c19c462077970c2cd7727fbcd8700323f7fafec97815a9daff7b941ddaad695cedfe77c6a4774df82e98

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
e95a5a072cf6a5ffbcad3cd7dfae8ec2

SHA1
1ef36bec38b13e35272cd5469da5c865a594d6c0

SHA256
28cc35929537f17e2c8e76316b919ed36ab51b252396e63b1f75b4dac2f432e1

SHA512
11f49066c80f1ba81905646c01abdd1fb4611c02e85965c9a86dfdf44632766936809783898c28fb663eb834d0c30f703c9a3aa06456f85969ca4791e75a20f9

Download Submit
memory/212-243-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/212-238-0x0000000000000000-mapping.dmp

Download
memory/344-248-0x0000000000000000-mapping.dmp

Download
memory/344-252-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/412-166-0x0000000000000000-mapping.dmp

Download
memory/412-169-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/644-114-0x0000000000AA0000-0x0000000000B2E000-memory.dmp

Filesize
568KB

Download
memory/692-242-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/692-236-0x0000000000000000-mapping.dmp

Download
memory/848-219-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/848-211-0x0000000000000000-mapping.dmp

Download
memory/1032-174-0x0000000000000000-mapping.dmp

Download
memory/1120-172-0x0000000000000000-mapping.dmp

Download
memory/1120-178-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1124-185-0x0000000000000000-mapping.dmp

Download
memory/1124-189-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1128-244-0x0000000000000000-mapping.dmp

Download
memory/1128-250-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1292-183-0x0000000000000000-mapping.dmp

Download
memory/1292-188-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1332-225-0x0000000000000000-mapping.dmp

Download
memory/1332-230-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/1336-202-0x0000000000000000-mapping.dmp

Download
memory/1352-223-0x0000000000000000-mapping.dmp

Download
memory/1352-229-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1448-196-0x0000000000000000-mapping.dmp

Download
memory/1448-199-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1552-221-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1552-213-0x0000000000000000-mapping.dmp

Download
memory/1648-136-0x0000000000411000-mapping.dmp

Download
memory/1664-261-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/1664-253-0x0000000000000000-mapping.dmp

Download
memory/1724-210-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/1724-206-0x0000000000000000-mapping.dmp

Download
memory/1792-263-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1792-255-0x0000000000000000-mapping.dmp

Download
memory/1824-151-0x0000000000000000-mapping.dmp

Download
memory/1824-157-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1860-227-0x0000000000000000-mapping.dmp

Download
memory/1860-231-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1940-272-0x0000000000620000-0x000000000076A000-memory.dmp

Filesize
1.3MB

Download
memory/1940-269-0x0000000000000000-mapping.dmp

Download
memory/1948-180-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1948-176-0x0000000000000000-mapping.dmp

Download
memory/2008-232-0x0000000000000000-mapping.dmp

Download
memory/2008-240-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2080-257-0x0000000000000000-mapping.dmp

Download
memory/2080-264-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/2100-281-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2100-278-0x0000000000000000-mapping.dmp

Download
memory/2248-271-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2248-265-0x0000000000000000-mapping.dmp

Download
memory/2280-168-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2280-160-0x0000000000000000-mapping.dmp

Download
memory/2328-259-0x0000000000000000-mapping.dmp

Download
memory/2328-262-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2376-246-0x0000000000000000-mapping.dmp

Download
memory/2376-251-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2604-282-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2604-276-0x0000000000000000-mapping.dmp

Download
memory/2796-222-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/2796-215-0x0000000000000000-mapping.dmp

Download
memory/2892-217-0x0000000000000000-mapping.dmp

Download
memory/2892-220-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2920-190-0x0000000000000000-mapping.dmp

Download
memory/3168-241-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3168-234-0x0000000000000000-mapping.dmp

Download
memory/3188-155-0x0000000000000000-mapping.dmp

Download
memory/3188-159-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3384-267-0x0000000000000000-mapping.dmp

Download
memory/3384-273-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3452-144-0x0000000000000000-mapping.dmp

Download
memory/3452-149-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/3460-129-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3460-126-0x0000000000000000-mapping.dmp

Download
memory/3480-164-0x0000000000000000-mapping.dmp

Download
memory/3480-171-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3492-162-0x0000000000000000-mapping.dmp

Download
memory/3492-170-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/3500-200-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/3500-192-0x0000000000000000-mapping.dmp

Download
memory/3576-118-0x0000000000411000-mapping.dmp

Download
memory/3576-124-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3576-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3664-153-0x0000000000000000-mapping.dmp

Download
memory/3664-158-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3672-116-0x0000000000403670-mapping.dmp

Download
memory/3672-123-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3672-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3780-131-0x0000000000403670-mapping.dmp

Download
memory/3912-181-0x0000000000000000-mapping.dmp

Download
memory/3944-194-0x0000000000000000-mapping.dmp

Download
memory/3944-201-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/3972-280-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3972-274-0x0000000000000000-mapping.dmp

Download
memory/3996-147-0x0000000000000000-mapping.dmp

Download
memory/3996-150-0x0000000000660000-0x00000000007AA000-memory.dmp

Filesize
1.3MB

Download
memory/4060-209-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/4060-204-0x0000000000000000-mapping.dmp

Download
memory/4104-289-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4104-283-0x0000000000000000-mapping.dmp

Download
memory/4128-285-0x0000000000000000-mapping.dmp

Download
memory/4128-290-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/4152-291-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4152-287-0x0000000000000000-mapping.dmp

Download
memory/4188-292-0x0000000000000000-mapping.dmp

Download
memory/4188-300-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/4212-302-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4212-294-0x0000000000000000-mapping.dmp

Download
memory/4236-303-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/4236-296-0x0000000000000000-mapping.dmp

Download
memory/4260-298-0x0000000000000000-mapping.dmp

Download
memory/4260-301-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/4300-304-0x0000000000000000-mapping.dmp

Download
memory/4300-310-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4324-312-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/4324-306-0x0000000000000000-mapping.dmp

Download
memory/4348-311-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4348-308-0x0000000000000000-mapping.dmp

Download
memory/4384-313-0x0000000000000000-mapping.dmp

Download
memory/4384-318-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4408-315-0x0000000000000000-mapping.dmp

Download
memory/4408-319-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4432-317-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads