warzonerat | 4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0

Analysis

max time kernel
143s
max time network
100s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
Size

1.8MB
MD5

b1b0e976765f127f3f6946201b410a8e
SHA1

5c24c01c3cf17082e412bc1970ad78e9d49d2ff6
SHA256

4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0
SHA512

6ae18ddec77e2b3722924487a74f39a569a36540fc8aa6f7398533b649fc4f3025d423581059ab19bc449bbae4a42ad73e008c1991717c7133b2ffe80e8246dc

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
292	explorer.exe
668	explorer.exe
1348	spoolsv.exe
1848	spoolsv.exe
1540	spoolsv.exe
652	spoolsv.exe
1080	spoolsv.exe
1700	spoolsv.exe
1516	spoolsv.exe
2004	spoolsv.exe
1636	spoolsv.exe
1400	spoolsv.exe
1084	spoolsv.exe
600	spoolsv.exe
1960	spoolsv.exe
1952	spoolsv.exe
2008	spoolsv.exe
1360	spoolsv.exe
824	spoolsv.exe
596	spoolsv.exe
1300	spoolsv.exe
1112	spoolsv.exe
1160	spoolsv.exe
1424	spoolsv.exe
1616	spoolsv.exe
1860	spoolsv.exe
1704	spoolsv.exe
572	spoolsv.exe
1148	spoolsv.exe
1336	spoolsv.exe
952	spoolsv.exe
1560	spoolsv.exe
1640	spoolsv.exe
756	spoolsv.exe
536	spoolsv.exe
768	spoolsv.exe
1664	spoolsv.exe
2032	spoolsv.exe
1856	spoolsv.exe
1176	spoolsv.exe
860	spoolsv.exe
544	spoolsv.exe
980	spoolsv.exe
828	spoolsv.exe
672	spoolsv.exe
1752	spoolsv.exe
2044	spoolsv.exe
1668	spoolsv.exe
1996	spoolsv.exe
900	spoolsv.exe
888	spoolsv.exe
1680	spoolsv.exe
1172	spoolsv.exe
1836	spoolsv.exe
1568	spoolsv.exe
1196	spoolsv.exe
620	spoolsv.exe
1432	spoolsv.exe
1956	spoolsv.exe
956	spoolsv.exe
2028	spoolsv.exe
1284	spoolsv.exe
1592	spoolsv.exe
1632	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exeexplorer.exe

pid	process
1680	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
1680	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe

Adds Run key to start application 2 TTPs 35 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exe4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 63 IoCs

Processes:

4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1084 set thread context of 1680	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
PID 1084 set thread context of 1608	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	diskperf.exe
PID 292 set thread context of 668	292	explorer.exe	explorer.exe
PID 292 set thread context of 328	292	explorer.exe	diskperf.exe
PID 1348 set thread context of 3192	1348	spoolsv.exe	spoolsv.exe
PID 1348 set thread context of 3200	1348	spoolsv.exe	diskperf.exe
PID 1848 set thread context of 3240	1848	spoolsv.exe	spoolsv.exe
PID 1848 set thread context of 3248	1848	spoolsv.exe	diskperf.exe
PID 1540 set thread context of 3276	1540	spoolsv.exe	spoolsv.exe
PID 1540 set thread context of 3284	1540	spoolsv.exe	diskperf.exe
PID 652 set thread context of 3308	652	spoolsv.exe	spoolsv.exe
PID 652 set thread context of 3316	652	spoolsv.exe	diskperf.exe
PID 1080 set thread context of 3344	1080	spoolsv.exe	spoolsv.exe
PID 1080 set thread context of 3352	1080	spoolsv.exe	diskperf.exe
PID 1700 set thread context of 3380	1700	spoolsv.exe	spoolsv.exe
PID 1700 set thread context of 3388	1700	spoolsv.exe	diskperf.exe
PID 1516 set thread context of 3416	1516	spoolsv.exe	spoolsv.exe
PID 1516 set thread context of 3424	1516	spoolsv.exe	diskperf.exe
PID 2004 set thread context of 3448	2004	spoolsv.exe	spoolsv.exe
PID 2004 set thread context of 3456	2004	spoolsv.exe	diskperf.exe
PID 1636 set thread context of 3484	1636	spoolsv.exe	spoolsv.exe
PID 1636 set thread context of 3492	1636	spoolsv.exe	diskperf.exe
PID 1400 set thread context of 3516	1400	spoolsv.exe	spoolsv.exe
PID 1400 set thread context of 3524	1400	spoolsv.exe	diskperf.exe
PID 1084 set thread context of 3552	1084	spoolsv.exe	spoolsv.exe
PID 1084 set thread context of 3560	1084	spoolsv.exe	diskperf.exe
PID 600 set thread context of 3580	600	spoolsv.exe	spoolsv.exe
PID 600 set thread context of 3588	600	spoolsv.exe	diskperf.exe
PID 1960 set thread context of 3608	1960	spoolsv.exe	spoolsv.exe
PID 1960 set thread context of 3616	1960	spoolsv.exe	diskperf.exe
PID 1952 set thread context of 3636	1952	spoolsv.exe	spoolsv.exe
PID 1952 set thread context of 3644	1952	spoolsv.exe	diskperf.exe
PID 2008 set thread context of 3664	2008	spoolsv.exe	spoolsv.exe
PID 2008 set thread context of 3672	2008	spoolsv.exe	diskperf.exe
PID 1360 set thread context of 3692	1360	spoolsv.exe	spoolsv.exe
PID 1360 set thread context of 3700	1360	spoolsv.exe	diskperf.exe
PID 824 set thread context of 3720	824	spoolsv.exe	spoolsv.exe
PID 824 set thread context of 3728	824	spoolsv.exe	diskperf.exe
PID 596 set thread context of 3756	596	spoolsv.exe	spoolsv.exe
PID 596 set thread context of 3764	596	spoolsv.exe	diskperf.exe
PID 1300 set thread context of 3784	1300	spoolsv.exe	spoolsv.exe
PID 1300 set thread context of 3792	1300	spoolsv.exe	diskperf.exe
PID 1112 set thread context of 3820	1112	spoolsv.exe	spoolsv.exe
PID 1112 set thread context of 3840	1112	spoolsv.exe	diskperf.exe
PID 1160 set thread context of 3852	1160	spoolsv.exe	spoolsv.exe
PID 1160 set thread context of 3860	1160	spoolsv.exe	diskperf.exe
PID 1424 set thread context of 3880	1424	spoolsv.exe	spoolsv.exe
PID 1424 set thread context of 3888	1424	spoolsv.exe	diskperf.exe
PID 1616 set thread context of 3908	1616	spoolsv.exe	spoolsv.exe
PID 1704 set thread context of 3924	1704	spoolsv.exe	spoolsv.exe
PID 1616 set thread context of 3916	1616	spoolsv.exe	diskperf.exe
PID 1704 set thread context of 3932	1704	spoolsv.exe	diskperf.exe
PID 1860 set thread context of 3940	1860	spoolsv.exe	spoolsv.exe
PID 1860 set thread context of 3948	1860	spoolsv.exe	diskperf.exe
PID 572 set thread context of 3956	572	spoolsv.exe	spoolsv.exe
PID 572 set thread context of 3964	572	spoolsv.exe	diskperf.exe
PID 1336 set thread context of 3980	1336	spoolsv.exe	spoolsv.exe
PID 1148 set thread context of 3972	1148	spoolsv.exe	spoolsv.exe
PID 1336 set thread context of 3988	1336	spoolsv.exe	diskperf.exe
PID 1148 set thread context of 3996	1148	spoolsv.exe	diskperf.exe
PID 952 set thread context of 4004	952	spoolsv.exe	spoolsv.exe
PID 1560 set thread context of 4024	1560	spoolsv.exe	svchost.exe
PID 952 set thread context of 4032	952	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exeexplorer.exe

pid	process
1680	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

668 explorer.exe

pid	process
668	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1680	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
1680	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
3192	spoolsv.exe
3192	spoolsv.exe
3240	spoolsv.exe
3240	spoolsv.exe
3276	spoolsv.exe
3276	spoolsv.exe
3308	spoolsv.exe
3308	spoolsv.exe
3344	spoolsv.exe
3344	spoolsv.exe
3380	spoolsv.exe
3380	spoolsv.exe
3416	spoolsv.exe
3416	spoolsv.exe
3448	spoolsv.exe
3448	spoolsv.exe
3484	spoolsv.exe
3484	spoolsv.exe
3516	spoolsv.exe
3516	spoolsv.exe
3552	spoolsv.exe
3552	spoolsv.exe
3580	spoolsv.exe
3580	spoolsv.exe
3608	spoolsv.exe
3608	spoolsv.exe
3636	spoolsv.exe
3636	spoolsv.exe
3664	spoolsv.exe
3664	spoolsv.exe
3692	spoolsv.exe
3692	spoolsv.exe
3720	spoolsv.exe
3720	spoolsv.exe
3756	spoolsv.exe
3756	spoolsv.exe
3784	spoolsv.exe
3784	spoolsv.exe
3820	spoolsv.exe
3820	spoolsv.exe
3852	spoolsv.exe
3852	spoolsv.exe
3880	spoolsv.exe
3880	spoolsv.exe
3908	spoolsv.exe
3924	spoolsv.exe
3924	spoolsv.exe
3908	spoolsv.exe
3940	spoolsv.exe
3940	spoolsv.exe
3956	spoolsv.exe
3956	spoolsv.exe
3980	spoolsv.exe
3972	spoolsv.exe
3972	spoolsv.exe
3980	spoolsv.exe
4004	spoolsv.exe
4004	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1084 wrote to memory of 1680	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
PID 1084 wrote to memory of 1680	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
PID 1084 wrote to memory of 1680	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
PID 1084 wrote to memory of 1680	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
PID 1084 wrote to memory of 1680	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
PID 1084 wrote to memory of 1680	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
PID 1084 wrote to memory of 1680	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
PID 1084 wrote to memory of 1680	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
PID 1084 wrote to memory of 1680	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
PID 1084 wrote to memory of 1608	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	diskperf.exe
PID 1084 wrote to memory of 1608	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	diskperf.exe
PID 1084 wrote to memory of 1608	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	diskperf.exe
PID 1084 wrote to memory of 1608	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	diskperf.exe
PID 1084 wrote to memory of 1608	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	diskperf.exe
PID 1084 wrote to memory of 1608	1084	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	diskperf.exe
PID 1680 wrote to memory of 292	1680	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	explorer.exe
PID 1680 wrote to memory of 292	1680	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	explorer.exe
PID 1680 wrote to memory of 292	1680	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	explorer.exe
PID 1680 wrote to memory of 292	1680	4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe	explorer.exe
PID 292 wrote to memory of 668	292	explorer.exe	explorer.exe
PID 292 wrote to memory of 668	292	explorer.exe	explorer.exe
PID 292 wrote to memory of 668	292	explorer.exe	explorer.exe
PID 292 wrote to memory of 668	292	explorer.exe	explorer.exe
PID 292 wrote to memory of 668	292	explorer.exe	explorer.exe
PID 292 wrote to memory of 668	292	explorer.exe	explorer.exe
PID 292 wrote to memory of 668	292	explorer.exe	explorer.exe
PID 292 wrote to memory of 668	292	explorer.exe	explorer.exe
PID 292 wrote to memory of 668	292	explorer.exe	explorer.exe
PID 292 wrote to memory of 328	292	explorer.exe	diskperf.exe
PID 292 wrote to memory of 328	292	explorer.exe	diskperf.exe
PID 292 wrote to memory of 328	292	explorer.exe	diskperf.exe
PID 292 wrote to memory of 328	292	explorer.exe	diskperf.exe
PID 292 wrote to memory of 328	292	explorer.exe	diskperf.exe
PID 292 wrote to memory of 328	292	explorer.exe	diskperf.exe
PID 668 wrote to memory of 1348	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1348	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1348	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1348	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1848	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1848	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1848	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1848	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1540	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1540	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1540	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1540	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 652	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 652	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 652	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 652	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1080	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1080	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1080	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1080	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1700	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1700	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1700	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1700	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1516	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1516	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1516	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1516	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 2004	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 2004	668	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
"C:\Users\Admin\AppData\Local\Temp\4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe
"C:\Users\Admin\AppData\Local\Temp\4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:292

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3192

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3224

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3240

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3260

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3276

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3300

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3308

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3328

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3344

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3364

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3380

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3400

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3416

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3436

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3448

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3468

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3484

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3508

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3516

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3536

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3552

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3572

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3600

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3608

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3628

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3636

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3656

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3664

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3684

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3692

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3712

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3720

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3740

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3756

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3776

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3784

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3820

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3832

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3852

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3872

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3880

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3900

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3908

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1704

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3956

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3980

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4016

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4048

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4068

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4092

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3216

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3256

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3296

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3340

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2032

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:532

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3412

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3360

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:860

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:544

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3452

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3484

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3520

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1768

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3552

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3640

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3696

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3736

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3760

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1932

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3788

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1756

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1620

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1612

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1212

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1992

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:268

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1524

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4052

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1144

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1208

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2028

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:432

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3532

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3484

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1744

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1728

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1932

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1780

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3784

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3884

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1436

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1620

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4028

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:924

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1716

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:284

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1256

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1276

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3232

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:328

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1608

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:532

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3896

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
b1b0e976765f127f3f6946201b410a8e

SHA1
5c24c01c3cf17082e412bc1970ad78e9d49d2ff6

SHA256
4607b1cdb907ffb58abcad0f70b78e486e8b346d8862ede974d74fbe07f4f1e0

SHA512
6ae18ddec77e2b3722924487a74f39a569a36540fc8aa6f7398533b649fc4f3025d423581059ab19bc449bbae4a42ad73e008c1991717c7133b2ffe80e8246dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
127fa34c0fc57cee362bb05a584be148

SHA1
62a446bcc342d20a7e65d5b7ba5009d2ed59f7da

SHA256
194c728684641fb076833d6e4fceac43f25b5e7fc53ec97e28eb8247840689a3

SHA512
ea38c902a6d3335c767c23972b13115f3b58915a76d7af74216bcce6a6e7d7f62f30c7bf9db7931336a68332282b696ab0a495983197ae392e6ffad8d76ee63c

Download Submit
C:\Windows\system\explorer.exe
MD5
127fa34c0fc57cee362bb05a584be148

SHA1
62a446bcc342d20a7e65d5b7ba5009d2ed59f7da

SHA256
194c728684641fb076833d6e4fceac43f25b5e7fc53ec97e28eb8247840689a3

SHA512
ea38c902a6d3335c767c23972b13115f3b58915a76d7af74216bcce6a6e7d7f62f30c7bf9db7931336a68332282b696ab0a495983197ae392e6ffad8d76ee63c

Download Submit
C:\Windows\system\explorer.exe
MD5
127fa34c0fc57cee362bb05a584be148

SHA1
62a446bcc342d20a7e65d5b7ba5009d2ed59f7da

SHA256
194c728684641fb076833d6e4fceac43f25b5e7fc53ec97e28eb8247840689a3

SHA512
ea38c902a6d3335c767c23972b13115f3b58915a76d7af74216bcce6a6e7d7f62f30c7bf9db7931336a68332282b696ab0a495983197ae392e6ffad8d76ee63c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
C:\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\??\c:\windows\system\explorer.exe
MD5
127fa34c0fc57cee362bb05a584be148

SHA1
62a446bcc342d20a7e65d5b7ba5009d2ed59f7da

SHA256
194c728684641fb076833d6e4fceac43f25b5e7fc53ec97e28eb8247840689a3

SHA512
ea38c902a6d3335c767c23972b13115f3b58915a76d7af74216bcce6a6e7d7f62f30c7bf9db7931336a68332282b696ab0a495983197ae392e6ffad8d76ee63c

Download Submit
\Windows\system\explorer.exe
MD5
127fa34c0fc57cee362bb05a584be148

SHA1
62a446bcc342d20a7e65d5b7ba5009d2ed59f7da

SHA256
194c728684641fb076833d6e4fceac43f25b5e7fc53ec97e28eb8247840689a3

SHA512
ea38c902a6d3335c767c23972b13115f3b58915a76d7af74216bcce6a6e7d7f62f30c7bf9db7931336a68332282b696ab0a495983197ae392e6ffad8d76ee63c

Download Submit
\Windows\system\explorer.exe
MD5
127fa34c0fc57cee362bb05a584be148

SHA1
62a446bcc342d20a7e65d5b7ba5009d2ed59f7da

SHA256
194c728684641fb076833d6e4fceac43f25b5e7fc53ec97e28eb8247840689a3

SHA512
ea38c902a6d3335c767c23972b13115f3b58915a76d7af74216bcce6a6e7d7f62f30c7bf9db7931336a68332282b696ab0a495983197ae392e6ffad8d76ee63c

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
\Windows\system\spoolsv.exe
MD5
45267daf133d322990d58ef224c7a666

SHA1
ec10add02ab0a4682b5fc59d6462c4d14753916e

SHA256
b9cd1d82bdaf1b516640331c2267335da63942768f2a28e624bf2c30e7b2ca36

SHA512
6a63eeeab3b7a85d5ec2eaa4688c0369c1ca309b9aa4aaa446fe136771152da1319ac693095b541110ba07fdd060fde2eea2f34887f58afe5c6c9b880d6e4d02

Download Submit
memory/292-73-0x0000000000000000-mapping.dmp

Download
memory/328-87-0x0000000000411000-mapping.dmp

Download
memory/536-242-0x0000000000000000-mapping.dmp

Download
memory/536-252-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/544-263-0x0000000000000000-mapping.dmp

Download
memory/544-273-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/572-221-0x0000000000000000-mapping.dmp

Download
memory/572-230-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/596-197-0x0000000000000000-mapping.dmp

Download
memory/600-160-0x0000000000000000-mapping.dmp

Download
memory/620-312-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/620-307-0x0000000000000000-mapping.dmp

Download
memory/652-113-0x0000000000000000-mapping.dmp

Download
memory/652-120-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/668-81-0x0000000000403670-mapping.dmp

Download
memory/672-276-0x0000000000000000-mapping.dmp

Download
memory/672-287-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/756-240-0x0000000000000000-mapping.dmp

Download
memory/756-251-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/768-244-0x0000000000000000-mapping.dmp

Download
memory/768-247-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/824-191-0x0000000000000000-mapping.dmp

Download
memory/824-207-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/828-274-0x0000000000000000-mapping.dmp

Download
memory/828-286-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/860-261-0x0000000000000000-mapping.dmp

Download
memory/860-272-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/888-301-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/888-295-0x0000000000000000-mapping.dmp

Download
memory/900-288-0x0000000000000000-mapping.dmp

Download
memory/900-293-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/952-248-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/952-234-0x0000000000000000-mapping.dmp

Download
memory/956-310-0x0000000000000000-mapping.dmp

Download
memory/980-265-0x0000000000000000-mapping.dmp

Download
memory/1080-119-0x0000000000000000-mapping.dmp

Download
memory/1080-133-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1084-60-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1084-164-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1084-154-0x0000000000000000-mapping.dmp

Download
memory/1084-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1112-205-0x0000000000000000-mapping.dmp

Download
memory/1148-223-0x0000000000000000-mapping.dmp

Download
memory/1160-211-0x0000000000000000-mapping.dmp

Download
memory/1172-297-0x0000000000000000-mapping.dmp

Download
memory/1172-303-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1176-271-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1176-259-0x0000000000000000-mapping.dmp

Download
memory/1196-300-0x0000000000000000-mapping.dmp

Download
memory/1300-210-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1300-202-0x0000000000000000-mapping.dmp

Download
memory/1336-232-0x0000000000000000-mapping.dmp

Download
memory/1336-246-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1348-96-0x0000000000000000-mapping.dmp

Download
memory/1348-105-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1360-186-0x0000000000000000-mapping.dmp

Download
memory/1360-193-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1400-161-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1400-149-0x0000000000000000-mapping.dmp

Download
memory/1424-226-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1424-213-0x0000000000000000-mapping.dmp

Download
memory/1432-308-0x0000000000000000-mapping.dmp

Download
memory/1516-130-0x0000000000000000-mapping.dmp

Download
memory/1516-134-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1540-107-0x0000000000000000-mapping.dmp

Download
memory/1540-117-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1560-236-0x0000000000000000-mapping.dmp

Download
memory/1560-249-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1568-299-0x0000000000000000-mapping.dmp

Download
memory/1608-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1608-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1608-67-0x0000000000411000-mapping.dmp

Download
memory/1616-215-0x0000000000000000-mapping.dmp

Download
memory/1636-143-0x0000000000000000-mapping.dmp

Download
memory/1636-157-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1640-250-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1640-238-0x0000000000000000-mapping.dmp

Download
memory/1664-253-0x0000000000000000-mapping.dmp

Download
memory/1664-267-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1668-282-0x0000000000000000-mapping.dmp

Download
memory/1680-63-0x0000000000403670-mapping.dmp

Download
memory/1680-74-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1680-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1680-296-0x0000000000000000-mapping.dmp

Download
memory/1700-125-0x0000000000000000-mapping.dmp

Download
memory/1700-135-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1704-219-0x0000000000000000-mapping.dmp

Download
memory/1752-278-0x0000000000000000-mapping.dmp

Download
memory/1836-304-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1836-298-0x0000000000000000-mapping.dmp

Download
memory/1848-108-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1848-101-0x0000000000000000-mapping.dmp

Download
memory/1856-257-0x0000000000000000-mapping.dmp

Download
memory/1860-217-0x0000000000000000-mapping.dmp

Download
memory/1860-228-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1952-174-0x0000000000000000-mapping.dmp

Download
memory/1952-182-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1956-309-0x0000000000000000-mapping.dmp

Download
memory/1956-314-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1960-171-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1960-167-0x0000000000000000-mapping.dmp

Download
memory/1996-284-0x0000000000000000-mapping.dmp

Download
memory/1996-294-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2004-138-0x0000000000000000-mapping.dmp

Download
memory/2008-183-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2008-179-0x0000000000000000-mapping.dmp

Download
memory/2028-311-0x0000000000000000-mapping.dmp

Download
memory/2032-269-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2032-255-0x0000000000000000-mapping.dmp

Download
memory/2044-280-0x0000000000000000-mapping.dmp

Download
memory/2044-290-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download