warzonerat | 90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7v20210408
submitted
05-05-2021 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab8b026c_by_Libranalysis.exe
Size

1.8MB
MD5

ab8b026c7402b5e0452ff0f915f2cb0f
SHA1

ca849caf19f9c87e2218f12d8c2c263f010b858f
SHA256

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9
SHA512

c896a625314f135ec0854f2ef80574efc21926c46a04224e6fa3f75342c8647963ee3d7e7538b2ac5352f2ad62f20d9e0bb86c8233289f8bded6ca52830cbbda

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
764	explorer.exe
1476	explorer.exe
304	spoolsv.exe
960	spoolsv.exe
780	spoolsv.exe
652	spoolsv.exe
740	spoolsv.exe
1380	spoolsv.exe
1576	spoolsv.exe
1984	spoolsv.exe
964	spoolsv.exe
1572	spoolsv.exe
1164	spoolsv.exe
1688	spoolsv.exe
668	spoolsv.exe
768	spoolsv.exe
1640	spoolsv.exe
1864	spoolsv.exe
1812	spoolsv.exe
1292	spoolsv.exe
1288	spoolsv.exe
1136	spoolsv.exe
664	spoolsv.exe
564	spoolsv.exe
368	spoolsv.exe
1540	spoolsv.exe
1604	spoolsv.exe
1596	spoolsv.exe
1808	spoolsv.exe
896	spoolsv.exe
944	spoolsv.exe
952	spoolsv.exe
1620	spoolsv.exe
1544	spoolsv.exe
520	spoolsv.exe
268	spoolsv.exe
464	spoolsv.exe
1172	spoolsv.exe
1536	spoolsv.exe
1632	spoolsv.exe
816	spoolsv.exe
1060	spoolsv.exe
1732	spoolsv.exe
1004	spoolsv.exe
1264	spoolsv.exe
848	spoolsv.exe
1792	spoolsv.exe
2004	spoolsv.exe
2000	spoolsv.exe
840	spoolsv.exe
1384	spoolsv.exe
1656	spoolsv.exe
1820	spoolsv.exe
864	spoolsv.exe
1252	spoolsv.exe
1084	spoolsv.exe
1836	spoolsv.exe
640	spoolsv.exe
568	spoolsv.exe
1100	spoolsv.exe
1496	spoolsv.exe
1692	spoolsv.exe
2024	spoolsv.exe
2044	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

ab8b026c_by_Libranalysis.exeexplorer.exe

pid	process
1584	ab8b026c_by_Libranalysis.exe
1584	ab8b026c_by_Libranalysis.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe

Adds Run key to start application 2 TTPs 37 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeab8b026c_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	ab8b026c_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

ab8b026c_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1820 set thread context of 1584	1820	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 1820 set thread context of 1616	1820	ab8b026c_by_Libranalysis.exe	diskperf.exe
PID 764 set thread context of 1476	764	explorer.exe	explorer.exe
PID 764 set thread context of 1872	764	explorer.exe	diskperf.exe
PID 304 set thread context of 3288	304	spoolsv.exe	spoolsv.exe
PID 304 set thread context of 3296	304	spoolsv.exe	diskperf.exe
PID 960 set thread context of 3336	960	spoolsv.exe	spoolsv.exe
PID 960 set thread context of 3344	960	spoolsv.exe	diskperf.exe
PID 780 set thread context of 3368	780	spoolsv.exe	spoolsv.exe
PID 780 set thread context of 3376	780	spoolsv.exe	diskperf.exe
PID 652 set thread context of 3404	652	spoolsv.exe	spoolsv.exe
PID 652 set thread context of 3412	652	spoolsv.exe	diskperf.exe
PID 740 set thread context of 3440	740	spoolsv.exe	spoolsv.exe
PID 740 set thread context of 3448	740	spoolsv.exe	diskperf.exe
PID 1380 set thread context of 3476	1380	spoolsv.exe	spoolsv.exe
PID 1380 set thread context of 3484	1380	spoolsv.exe	diskperf.exe
PID 1576 set thread context of 3508	1576	spoolsv.exe	spoolsv.exe
PID 1576 set thread context of 3516	1576	spoolsv.exe	diskperf.exe
PID 1984 set thread context of 3540	1984	spoolsv.exe	spoolsv.exe
PID 1984 set thread context of 3548	1984	spoolsv.exe	diskperf.exe
PID 964 set thread context of 3576	964	spoolsv.exe	spoolsv.exe
PID 964 set thread context of 3584	964	spoolsv.exe	diskperf.exe
PID 1572 set thread context of 3612	1572	spoolsv.exe	spoolsv.exe
PID 1572 set thread context of 3620	1572	spoolsv.exe	diskperf.exe
PID 1164 set thread context of 3644	1164	spoolsv.exe	spoolsv.exe
PID 1164 set thread context of 3652	1164	spoolsv.exe	diskperf.exe
PID 1688 set thread context of 3676	1688	spoolsv.exe	spoolsv.exe
PID 1688 set thread context of 3684	1688	spoolsv.exe	diskperf.exe
PID 668 set thread context of 3708	668	spoolsv.exe	spoolsv.exe
PID 668 set thread context of 3716	668	spoolsv.exe	diskperf.exe
PID 768 set thread context of 3736	768	spoolsv.exe	spoolsv.exe
PID 768 set thread context of 3744	768	spoolsv.exe	diskperf.exe
PID 1640 set thread context of 3772	1640	spoolsv.exe	spoolsv.exe
PID 1640 set thread context of 3780	1640	spoolsv.exe	diskperf.exe
PID 1864 set thread context of 3804	1864	spoolsv.exe	spoolsv.exe
PID 1864 set thread context of 3812	1864	spoolsv.exe	diskperf.exe
PID 1812 set thread context of 3836	1812	spoolsv.exe	spoolsv.exe
PID 1812 set thread context of 3844	1812	spoolsv.exe	diskperf.exe
PID 1292 set thread context of 3872	1292	spoolsv.exe	spoolsv.exe
PID 1292 set thread context of 3880	1292	spoolsv.exe	diskperf.exe
PID 1288 set thread context of 3900	1288	spoolsv.exe	spoolsv.exe
PID 1136 set thread context of 3928	1136	spoolsv.exe	spoolsv.exe
PID 1288 set thread context of 3908	1288	spoolsv.exe	diskperf.exe
PID 1136 set thread context of 3936	1136	spoolsv.exe	diskperf.exe
PID 664 set thread context of 3944	664	spoolsv.exe	spoolsv.exe
PID 664 set thread context of 3952	664	spoolsv.exe	diskperf.exe
PID 564 set thread context of 3972	564	spoolsv.exe	spoolsv.exe
PID 564 set thread context of 3980	564	spoolsv.exe	diskperf.exe
PID 368 set thread context of 3988	368	spoolsv.exe	spoolsv.exe
PID 368 set thread context of 3996	368	spoolsv.exe	diskperf.exe
PID 1540 set thread context of 4004	1540	spoolsv.exe	spoolsv.exe
PID 1540 set thread context of 4012	1540	spoolsv.exe	diskperf.exe
PID 1596 set thread context of 4024	1596	spoolsv.exe	spoolsv.exe
PID 1808 set thread context of 4048	1808	spoolsv.exe	spoolsv.exe
PID 1808 set thread context of 4056	1808	spoolsv.exe	diskperf.exe
PID 1596 set thread context of 4040	1596	spoolsv.exe	diskperf.exe
PID 1604 set thread context of 4032	1604	spoolsv.exe	spoolsv.exe
PID 1604 set thread context of 4064	1604	spoolsv.exe	diskperf.exe
PID 896 set thread context of 4084	896	spoolsv.exe	spoolsv.exe
PID 896 set thread context of 4092	896	spoolsv.exe	diskperf.exe
PID 952 set thread context of 3324	952	spoolsv.exe	spoolsv.exe
PID 952 set thread context of 3292	952	spoolsv.exe	diskperf.exe
PID 944 set thread context of 3364	944	spoolsv.exe	spoolsv.exe
PID 944 set thread context of 3352	944	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

ab8b026c_by_Libranalysis.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	ab8b026c_by_Libranalysis.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ab8b026c_by_Libranalysis.exeexplorer.exe

pid	process
1584	ab8b026c_by_Libranalysis.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1476 explorer.exe

pid	process
1476	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1584	ab8b026c_by_Libranalysis.exe
1584	ab8b026c_by_Libranalysis.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
1476	explorer.exe
3288	spoolsv.exe
3288	spoolsv.exe
3336	spoolsv.exe
3336	spoolsv.exe
3368	spoolsv.exe
3368	spoolsv.exe
3404	spoolsv.exe
3404	spoolsv.exe
3440	spoolsv.exe
3440	spoolsv.exe
3476	spoolsv.exe
3476	spoolsv.exe
3508	spoolsv.exe
3508	spoolsv.exe
3540	spoolsv.exe
3540	spoolsv.exe
3576	spoolsv.exe
3576	spoolsv.exe
3612	spoolsv.exe
3612	spoolsv.exe
3644	spoolsv.exe
3644	spoolsv.exe
3676	spoolsv.exe
3676	spoolsv.exe
3708	spoolsv.exe
3708	spoolsv.exe
3736	spoolsv.exe
3736	spoolsv.exe
3772	spoolsv.exe
3772	spoolsv.exe
3804	spoolsv.exe
3804	spoolsv.exe
3836	spoolsv.exe
3836	spoolsv.exe
3872	spoolsv.exe
3872	spoolsv.exe
3900	spoolsv.exe
3900	spoolsv.exe
3928	spoolsv.exe
3928	spoolsv.exe
3944	spoolsv.exe
3944	spoolsv.exe
3972	spoolsv.exe
3988	spoolsv.exe
3988	spoolsv.exe
3972	spoolsv.exe
4004	spoolsv.exe
4004	spoolsv.exe
4024	spoolsv.exe
4048	spoolsv.exe
4024	spoolsv.exe
4048	spoolsv.exe
4032	spoolsv.exe
4032	spoolsv.exe
4084	spoolsv.exe
4084	spoolsv.exe
3324	spoolsv.exe
3364	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ab8b026c_by_Libranalysis.exeab8b026c_by_Libranalysis.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1820 wrote to memory of 1584	1820	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 1820 wrote to memory of 1584	1820	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 1820 wrote to memory of 1584	1820	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 1820 wrote to memory of 1584	1820	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 1820 wrote to memory of 1584	1820	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 1820 wrote to memory of 1584	1820	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 1820 wrote to memory of 1584	1820	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 1820 wrote to memory of 1584	1820	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 1820 wrote to memory of 1584	1820	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 1820 wrote to memory of 1616	1820	ab8b026c_by_Libranalysis.exe	diskperf.exe
PID 1820 wrote to memory of 1616	1820	ab8b026c_by_Libranalysis.exe	diskperf.exe
PID 1820 wrote to memory of 1616	1820	ab8b026c_by_Libranalysis.exe	diskperf.exe
PID 1820 wrote to memory of 1616	1820	ab8b026c_by_Libranalysis.exe	diskperf.exe
PID 1820 wrote to memory of 1616	1820	ab8b026c_by_Libranalysis.exe	diskperf.exe
PID 1820 wrote to memory of 1616	1820	ab8b026c_by_Libranalysis.exe	diskperf.exe
PID 1584 wrote to memory of 764	1584	ab8b026c_by_Libranalysis.exe	explorer.exe
PID 1584 wrote to memory of 764	1584	ab8b026c_by_Libranalysis.exe	explorer.exe
PID 1584 wrote to memory of 764	1584	ab8b026c_by_Libranalysis.exe	explorer.exe
PID 1584 wrote to memory of 764	1584	ab8b026c_by_Libranalysis.exe	explorer.exe
PID 764 wrote to memory of 1476	764	explorer.exe	explorer.exe
PID 764 wrote to memory of 1476	764	explorer.exe	explorer.exe
PID 764 wrote to memory of 1476	764	explorer.exe	explorer.exe
PID 764 wrote to memory of 1476	764	explorer.exe	explorer.exe
PID 764 wrote to memory of 1476	764	explorer.exe	explorer.exe
PID 764 wrote to memory of 1476	764	explorer.exe	explorer.exe
PID 764 wrote to memory of 1476	764	explorer.exe	explorer.exe
PID 764 wrote to memory of 1476	764	explorer.exe	explorer.exe
PID 764 wrote to memory of 1476	764	explorer.exe	explorer.exe
PID 764 wrote to memory of 1872	764	explorer.exe	diskperf.exe
PID 764 wrote to memory of 1872	764	explorer.exe	diskperf.exe
PID 764 wrote to memory of 1872	764	explorer.exe	diskperf.exe
PID 764 wrote to memory of 1872	764	explorer.exe	diskperf.exe
PID 764 wrote to memory of 1872	764	explorer.exe	diskperf.exe
PID 764 wrote to memory of 1872	764	explorer.exe	diskperf.exe
PID 1476 wrote to memory of 304	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 304	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 304	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 304	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 960	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 960	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 960	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 960	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 780	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 780	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 780	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 780	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 652	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 652	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 652	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 652	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 740	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 740	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 740	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 740	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 1380	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 1380	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 1380	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 1380	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 1576	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 1576	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 1576	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 1576	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 1984	1476	explorer.exe	spoolsv.exe
PID 1476 wrote to memory of 1984	1476	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\ab8b026c_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\ab8b026c_by_Libranalysis.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\ab8b026c_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\ab8b026c_by_Libranalysis.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:764

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3288

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3328

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3336

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3356

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3368

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3396

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3404

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3424

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3440

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3460

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3476

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3496

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3508

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3528

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3540

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3576

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3612

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3644

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3664

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3676

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3708

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3728

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3736

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3772

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3804

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3836

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3856

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3872

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3892

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3900

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3920

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3928

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3944

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3964

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:368

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1540

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4024

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:896

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4084

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3364

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3324

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3372

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3388

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3456

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3480

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3568

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3508

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1828

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3640

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3672

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3692

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1020

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3800

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3740

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3776

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3900

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1280

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1296

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3992

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4028

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4048

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1384

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3308

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:612

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1764

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3660

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1348

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:384

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:568

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3944

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:240

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3992

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1628

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4088

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4036

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3312

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1872

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1616

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3960

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
ab8b026c7402b5e0452ff0f915f2cb0f

SHA1
ca849caf19f9c87e2218f12d8c2c263f010b858f

SHA256
90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9

SHA512
c896a625314f135ec0854f2ef80574efc21926c46a04224e6fa3f75342c8647963ee3d7e7538b2ac5352f2ad62f20d9e0bb86c8233289f8bded6ca52830cbbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
2de826b1c37f549f32e2096f6949681b

SHA1
9a4c127534f5e48b360b38114e4960ecd77137b4

SHA256
8141c624834c025b059e51e6d9da4860f673d269d85729719e388c6e865a2b62

SHA512
c5551e41f9d44b61df98f527c60d9cb39abc3668f41fa54f5252991b311c5165cac204049a4764201b9e701bf4bd2e17002892385c53583e5f6eda03a65834d5

Download Submit
C:\Windows\system\explorer.exe
MD5
2de826b1c37f549f32e2096f6949681b

SHA1
9a4c127534f5e48b360b38114e4960ecd77137b4

SHA256
8141c624834c025b059e51e6d9da4860f673d269d85729719e388c6e865a2b62

SHA512
c5551e41f9d44b61df98f527c60d9cb39abc3668f41fa54f5252991b311c5165cac204049a4764201b9e701bf4bd2e17002892385c53583e5f6eda03a65834d5

Download Submit
C:\Windows\system\explorer.exe
MD5
2de826b1c37f549f32e2096f6949681b

SHA1
9a4c127534f5e48b360b38114e4960ecd77137b4

SHA256
8141c624834c025b059e51e6d9da4860f673d269d85729719e388c6e865a2b62

SHA512
c5551e41f9d44b61df98f527c60d9cb39abc3668f41fa54f5252991b311c5165cac204049a4764201b9e701bf4bd2e17002892385c53583e5f6eda03a65834d5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
C:\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\??\c:\windows\system\explorer.exe
MD5
2de826b1c37f549f32e2096f6949681b

SHA1
9a4c127534f5e48b360b38114e4960ecd77137b4

SHA256
8141c624834c025b059e51e6d9da4860f673d269d85729719e388c6e865a2b62

SHA512
c5551e41f9d44b61df98f527c60d9cb39abc3668f41fa54f5252991b311c5165cac204049a4764201b9e701bf4bd2e17002892385c53583e5f6eda03a65834d5

Download Submit
\Windows\system\explorer.exe
MD5
2de826b1c37f549f32e2096f6949681b

SHA1
9a4c127534f5e48b360b38114e4960ecd77137b4

SHA256
8141c624834c025b059e51e6d9da4860f673d269d85729719e388c6e865a2b62

SHA512
c5551e41f9d44b61df98f527c60d9cb39abc3668f41fa54f5252991b311c5165cac204049a4764201b9e701bf4bd2e17002892385c53583e5f6eda03a65834d5

Download Submit
\Windows\system\explorer.exe
MD5
2de826b1c37f549f32e2096f6949681b

SHA1
9a4c127534f5e48b360b38114e4960ecd77137b4

SHA256
8141c624834c025b059e51e6d9da4860f673d269d85729719e388c6e865a2b62

SHA512
c5551e41f9d44b61df98f527c60d9cb39abc3668f41fa54f5252991b311c5165cac204049a4764201b9e701bf4bd2e17002892385c53583e5f6eda03a65834d5

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
\Windows\system\spoolsv.exe
MD5
50cf0446eae9ab93e5a98a528fed496c

SHA1
be0ce3f25bfb2ef52b9fb23f36abb0e8a846cc35

SHA256
0073922edcfc659fd7cc3daddf29744127fe0c36eb28fd897d58e6723e259c3a

SHA512
23d013a4519866a2bc11ac684a31482b0107c19002aabf28b739a435e9c6b5e99703468f5027d58c41cfb3396cdbab044ee67b980b74522dac200af8a1c22358

Download Submit
memory/268-247-0x0000000000000000-mapping.dmp

Download
memory/304-98-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/304-95-0x0000000000000000-mapping.dmp

Download
memory/368-212-0x0000000000000000-mapping.dmp

Download
memory/464-249-0x0000000000000000-mapping.dmp

Download
memory/464-260-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/520-245-0x0000000000000000-mapping.dmp

Download
memory/520-258-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/564-210-0x0000000000000000-mapping.dmp

Download
memory/564-219-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/568-306-0x0000000000000000-mapping.dmp

Download
memory/640-305-0x0000000000000000-mapping.dmp

Download
memory/640-312-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/652-113-0x0000000000000000-mapping.dmp

Download
memory/652-121-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/664-218-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/664-208-0x0000000000000000-mapping.dmp

Download
memory/668-167-0x0000000000000000-mapping.dmp

Download
memory/740-125-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/740-118-0x0000000000000000-mapping.dmp

Download
memory/764-74-0x0000000000000000-mapping.dmp

Download
memory/768-176-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/768-172-0x0000000000000000-mapping.dmp

Download
memory/780-106-0x0000000000000000-mapping.dmp

Download
memory/780-110-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/816-264-0x0000000000000000-mapping.dmp

Download
memory/840-289-0x0000000000000000-mapping.dmp

Download
memory/848-283-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/848-274-0x0000000000000000-mapping.dmp

Download
memory/864-294-0x0000000000000000-mapping.dmp

Download
memory/864-301-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/896-228-0x0000000000000000-mapping.dmp

Download
memory/944-241-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/944-230-0x0000000000000000-mapping.dmp

Download
memory/952-232-0x0000000000000000-mapping.dmp

Download
memory/952-242-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/960-101-0x0000000000000000-mapping.dmp

Download
memory/960-109-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/964-151-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/964-142-0x0000000000000000-mapping.dmp

Download
memory/1004-270-0x0000000000000000-mapping.dmp

Download
memory/1004-281-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1060-266-0x0000000000000000-mapping.dmp

Download
memory/1060-279-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1084-303-0x0000000000000000-mapping.dmp

Download
memory/1100-307-0x0000000000000000-mapping.dmp

Download
memory/1136-206-0x0000000000000000-mapping.dmp

Download
memory/1136-216-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1164-163-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1164-155-0x0000000000000000-mapping.dmp

Download
memory/1172-261-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1172-251-0x0000000000000000-mapping.dmp

Download
memory/1252-302-0x0000000000000000-mapping.dmp

Download
memory/1252-309-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1264-282-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1264-272-0x0000000000000000-mapping.dmp

Download
memory/1288-202-0x0000000000000000-mapping.dmp

Download
memory/1288-214-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1292-196-0x0000000000000000-mapping.dmp

Download
memory/1380-124-0x0000000000000000-mapping.dmp

Download
memory/1384-291-0x0000000000000000-mapping.dmp

Download
memory/1476-80-0x0000000000403670-mapping.dmp

Download
memory/1496-308-0x0000000000000000-mapping.dmp

Download
memory/1536-262-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1536-253-0x0000000000000000-mapping.dmp

Download
memory/1540-215-0x0000000000000000-mapping.dmp

Download
memory/1540-220-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1544-257-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1544-243-0x0000000000000000-mapping.dmp

Download
memory/1572-152-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1572-147-0x0000000000000000-mapping.dmp

Download
memory/1576-137-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1576-130-0x0000000000000000-mapping.dmp

Download
memory/1584-62-0x0000000000403670-mapping.dmp

Download
memory/1584-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1584-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1596-224-0x0000000000000000-mapping.dmp

Download
memory/1596-238-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1604-236-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1604-222-0x0000000000000000-mapping.dmp

Download
memory/1616-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1616-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1616-66-0x0000000000411000-mapping.dmp

Download
memory/1620-234-0x0000000000000000-mapping.dmp

Download
memory/1620-237-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1632-255-0x0000000000000000-mapping.dmp

Download
memory/1640-187-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1640-179-0x0000000000000000-mapping.dmp

Download
memory/1656-292-0x0000000000000000-mapping.dmp

Download
memory/1688-160-0x0000000000000000-mapping.dmp

Download
memory/1688-164-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1732-280-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1732-268-0x0000000000000000-mapping.dmp

Download
memory/1792-276-0x0000000000000000-mapping.dmp

Download
memory/1808-239-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1808-226-0x0000000000000000-mapping.dmp

Download
memory/1812-191-0x0000000000000000-mapping.dmp

Download
memory/1812-199-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1820-300-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1820-59-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1820-60-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1820-293-0x0000000000000000-mapping.dmp

Download
memory/1836-304-0x0000000000000000-mapping.dmp

Download
memory/1836-311-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1864-184-0x0000000000000000-mapping.dmp

Download
memory/1864-188-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1872-85-0x0000000000411000-mapping.dmp

Download
memory/1984-136-0x0000000000000000-mapping.dmp

Download
memory/1984-148-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2000-287-0x0000000000000000-mapping.dmp

Download
memory/2000-296-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2004-285-0x0000000000000000-mapping.dmp

Download
memory/2004-295-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads