warzonerat | 90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
05-05-2021 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab8b026c_by_Libranalysis.exe
Size

1.8MB
MD5

ab8b026c7402b5e0452ff0f915f2cb0f
SHA1

ca849caf19f9c87e2218f12d8c2c263f010b858f
SHA256

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9
SHA512

c896a625314f135ec0854f2ef80574efc21926c46a04224e6fa3f75342c8647963ee3d7e7538b2ac5352f2ad62f20d9e0bb86c8233289f8bded6ca52830cbbda

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4028	explorer.exe
1148	explorer.exe
68	spoolsv.exe
3820	spoolsv.exe
2316	spoolsv.exe
1852	spoolsv.exe
3844	spoolsv.exe
2856	spoolsv.exe
692	spoolsv.exe
3152	spoolsv.exe
3964	spoolsv.exe
2948	spoolsv.exe
2368	spoolsv.exe
3264	spoolsv.exe
1916	spoolsv.exe
4044	spoolsv.exe
3356	spoolsv.exe
424	spoolsv.exe
496	spoolsv.exe
852	spoolsv.exe
3644	spoolsv.exe
1756	spoolsv.exe
396	spoolsv.exe
3600	spoolsv.exe
3932	spoolsv.exe
2080	spoolsv.exe
2208	spoolsv.exe
4072	spoolsv.exe
3928	spoolsv.exe
3164	spoolsv.exe
788	spoolsv.exe
188	spoolsv.exe
1932	spoolsv.exe
3996	spoolsv.exe
544	spoolsv.exe
2232	spoolsv.exe
1816	spoolsv.exe
2624	spoolsv.exe
2808	spoolsv.exe
764	spoolsv.exe
1812	spoolsv.exe
2000	spoolsv.exe
3708	spoolsv.exe
1872	spoolsv.exe
2628	spoolsv.exe
4024	spoolsv.exe
1344	spoolsv.exe
4120	spoolsv.exe
4144	spoolsv.exe
4184	spoolsv.exe
4208	spoolsv.exe
4232	spoolsv.exe
4268	spoolsv.exe
4292	spoolsv.exe
4316	spoolsv.exe
4340	spoolsv.exe
4380	spoolsv.exe
4404	spoolsv.exe
4432	spoolsv.exe
4456	spoolsv.exe
4496	spoolsv.exe
4516	spoolsv.exe
4532	spoolsv.exe
4548	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeab8b026c_by_Libranalysis.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	ab8b026c_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

ab8b026c_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 852 set thread context of 2300	852	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 852 set thread context of 3752	852	ab8b026c_by_Libranalysis.exe	diskperf.exe
PID 4028 set thread context of 1148	4028	explorer.exe	explorer.exe
PID 4028 set thread context of 3648	4028	explorer.exe	diskperf.exe
PID 68 set thread context of 6888	68	spoolsv.exe	spoolsv.exe
PID 3820 set thread context of 6960	3820	spoolsv.exe	spoolsv.exe
PID 2316 set thread context of 7032	2316	spoolsv.exe	spoolsv.exe
PID 2316 set thread context of 7048	2316	spoolsv.exe	diskperf.exe
PID 1852 set thread context of 7112	1852	spoolsv.exe	spoolsv.exe
PID 3844 set thread context of 7156	3844	spoolsv.exe	spoolsv.exe
PID 3844 set thread context of 1700	3844	spoolsv.exe	diskperf.exe
PID 2856 set thread context of 6924	2856	spoolsv.exe	spoolsv.exe
PID 2856 set thread context of 6968	2856	spoolsv.exe	diskperf.exe
PID 692 set thread context of 6936	692	spoolsv.exe	spoolsv.exe
PID 692 set thread context of 3972	692	spoolsv.exe	diskperf.exe
PID 3152 set thread context of 7104	3152	spoolsv.exe	spoolsv.exe
PID 3152 set thread context of 3176	3152	spoolsv.exe	diskperf.exe
PID 3964 set thread context of 7164	3964	spoolsv.exe	spoolsv.exe
PID 2948 set thread context of 736	2948	spoolsv.exe	spoolsv.exe
PID 2948 set thread context of 7004	2948	spoolsv.exe	diskperf.exe
PID 2368 set thread context of 6992	2368	spoolsv.exe	spoolsv.exe
PID 3264 set thread context of 6932	3264	spoolsv.exe	spoolsv.exe
PID 3264 set thread context of 4248	3264	spoolsv.exe	diskperf.exe
PID 1916 set thread context of 3144	1916	spoolsv.exe	spoolsv.exe
PID 1916 set thread context of 7128	1916	spoolsv.exe	diskperf.exe
PID 4044 set thread context of 7092	4044	spoolsv.exe	spoolsv.exe
PID 3356 set thread context of 1276	3356	spoolsv.exe	spoolsv.exe
PID 2368 set thread context of 1432	2368	spoolsv.exe	spoolsv.exe
PID 3356 set thread context of 2468	3356	spoolsv.exe	diskperf.exe
PID 2368 set thread context of 2356	2368	spoolsv.exe	diskperf.exe
PID 424 set thread context of 1840	424	spoolsv.exe	spoolsv.exe
PID 496 set thread context of 7124	496	spoolsv.exe	spoolsv.exe
PID 424 set thread context of 3924	424	spoolsv.exe	diskperf.exe
PID 496 set thread context of 1792	496	spoolsv.exe	diskperf.exe
PID 852 set thread context of 476	852	spoolsv.exe	spoolsv.exe
PID 852 set thread context of 936	852	spoolsv.exe	diskperf.exe
PID 3644 set thread context of 4036	3644	spoolsv.exe	diskperf.exe
PID 3644 set thread context of 612	3644	spoolsv.exe	diskperf.exe
PID 1756 set thread context of 3880	1756	spoolsv.exe	spoolsv.exe
PID 1756 set thread context of 7064	1756	spoolsv.exe	diskperf.exe
PID 396 set thread context of 3132	396	spoolsv.exe	diskperf.exe
PID 396 set thread context of 7092	396	spoolsv.exe	diskperf.exe
PID 3600 set thread context of 2176	3600	spoolsv.exe	spoolsv.exe
PID 3932 set thread context of 4608	3932	spoolsv.exe	spoolsv.exe
PID 2080 set thread context of 4540	2080	spoolsv.exe	spoolsv.exe
PID 2080 set thread context of 3132	2080	spoolsv.exe	diskperf.exe
PID 2208 set thread context of 2428	2208	spoolsv.exe	spoolsv.exe
PID 2208 set thread context of 4576	2208	spoolsv.exe	diskperf.exe
PID 4072 set thread context of 4704	4072	spoolsv.exe	spoolsv.exe
PID 4072 set thread context of 3880	4072	spoolsv.exe	diskperf.exe
PID 3928 set thread context of 4652	3928	spoolsv.exe	spoolsv.exe
PID 3928 set thread context of 3492	3928	spoolsv.exe	diskperf.exe
PID 3164 set thread context of 2176	3164	spoolsv.exe	spoolsv.exe
PID 3164 set thread context of 2428	3164	spoolsv.exe	diskperf.exe
PID 788 set thread context of 4608	788	spoolsv.exe	spoolsv.exe
PID 788 set thread context of 4704	788	spoolsv.exe	diskperf.exe
PID 188 set thread context of 4832	188	spoolsv.exe	diskperf.exe
PID 188 set thread context of 4752	188	spoolsv.exe	diskperf.exe
PID 1932 set thread context of 4880	1932	spoolsv.exe	spoolsv.exe
PID 1932 set thread context of 4040	1932	spoolsv.exe	diskperf.exe
PID 3996 set thread context of 1152	3996	spoolsv.exe	spoolsv.exe
PID 3996 set thread context of 4832	3996	spoolsv.exe	diskperf.exe
PID 544 set thread context of 4940	544	spoolsv.exe	spoolsv.exe
PID 544 set thread context of 4960	544	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exeab8b026c_by_Libranalysis.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	ab8b026c_by_Libranalysis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ab8b026c_by_Libranalysis.exeexplorer.exe

pid	process
2300	ab8b026c_by_Libranalysis.exe
2300	ab8b026c_by_Libranalysis.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1148 explorer.exe

pid	process
1148	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

ab8b026c_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exediskperf.exespoolsv.exediskperf.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2300	ab8b026c_by_Libranalysis.exe
2300	ab8b026c_by_Libranalysis.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
1148	explorer.exe
6888	spoolsv.exe
6888	spoolsv.exe
6960	spoolsv.exe
6960	spoolsv.exe
7032	spoolsv.exe
7032	spoolsv.exe
7112	spoolsv.exe
7112	spoolsv.exe
7156	spoolsv.exe
7156	spoolsv.exe
6924	spoolsv.exe
6924	spoolsv.exe
6936	spoolsv.exe
6936	spoolsv.exe
7104	spoolsv.exe
7164	spoolsv.exe
7104	spoolsv.exe
7164	spoolsv.exe
736	spoolsv.exe
736	spoolsv.exe
6992	spoolsv.exe
6992	spoolsv.exe
6932	spoolsv.exe
6932	spoolsv.exe
3144	spoolsv.exe
3144	spoolsv.exe
7092	spoolsv.exe
7092	spoolsv.exe
1276	spoolsv.exe
1432	spoolsv.exe
1276	spoolsv.exe
1432	spoolsv.exe
7124	spoolsv.exe
7124	spoolsv.exe
1840	spoolsv.exe
1840	spoolsv.exe
476	spoolsv.exe
476	spoolsv.exe
4036	diskperf.exe
4036	diskperf.exe
3880	spoolsv.exe
3880	spoolsv.exe
3132	diskperf.exe
3132	diskperf.exe
2176	spoolsv.exe
2176	spoolsv.exe
4608	spoolsv.exe
4608	spoolsv.exe
4540	spoolsv.exe
4540	spoolsv.exe
2428	spoolsv.exe
2428	spoolsv.exe
4704	spoolsv.exe
4704	spoolsv.exe
4652	spoolsv.exe
4652	spoolsv.exe
2176	spoolsv.exe
2176	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ab8b026c_by_Libranalysis.exeab8b026c_by_Libranalysis.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 852 wrote to memory of 2300	852	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 852 wrote to memory of 2300	852	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 852 wrote to memory of 2300	852	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 852 wrote to memory of 2300	852	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 852 wrote to memory of 2300	852	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 852 wrote to memory of 2300	852	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 852 wrote to memory of 2300	852	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 852 wrote to memory of 2300	852	ab8b026c_by_Libranalysis.exe	ab8b026c_by_Libranalysis.exe
PID 852 wrote to memory of 3752	852	ab8b026c_by_Libranalysis.exe	diskperf.exe
PID 852 wrote to memory of 3752	852	ab8b026c_by_Libranalysis.exe	diskperf.exe
PID 852 wrote to memory of 3752	852	ab8b026c_by_Libranalysis.exe	diskperf.exe
PID 852 wrote to memory of 3752	852	ab8b026c_by_Libranalysis.exe	diskperf.exe
PID 852 wrote to memory of 3752	852	ab8b026c_by_Libranalysis.exe	diskperf.exe
PID 2300 wrote to memory of 4028	2300	ab8b026c_by_Libranalysis.exe	explorer.exe
PID 2300 wrote to memory of 4028	2300	ab8b026c_by_Libranalysis.exe	explorer.exe
PID 2300 wrote to memory of 4028	2300	ab8b026c_by_Libranalysis.exe	explorer.exe
PID 4028 wrote to memory of 1148	4028	explorer.exe	explorer.exe
PID 4028 wrote to memory of 1148	4028	explorer.exe	explorer.exe
PID 4028 wrote to memory of 1148	4028	explorer.exe	explorer.exe
PID 4028 wrote to memory of 1148	4028	explorer.exe	explorer.exe
PID 4028 wrote to memory of 1148	4028	explorer.exe	explorer.exe
PID 4028 wrote to memory of 1148	4028	explorer.exe	explorer.exe
PID 4028 wrote to memory of 1148	4028	explorer.exe	explorer.exe
PID 4028 wrote to memory of 1148	4028	explorer.exe	explorer.exe
PID 4028 wrote to memory of 3648	4028	explorer.exe	diskperf.exe
PID 4028 wrote to memory of 3648	4028	explorer.exe	diskperf.exe
PID 4028 wrote to memory of 3648	4028	explorer.exe	diskperf.exe
PID 4028 wrote to memory of 3648	4028	explorer.exe	diskperf.exe
PID 4028 wrote to memory of 3648	4028	explorer.exe	diskperf.exe
PID 1148 wrote to memory of 68	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 68	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 68	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 3820	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 3820	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 3820	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 2316	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 2316	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 2316	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 1852	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 1852	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 1852	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 3844	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 3844	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 3844	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 2856	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 2856	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 2856	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 692	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 692	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 692	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 3152	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 3152	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 3152	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 3964	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 3964	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 3964	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 2948	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 2948	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 2948	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 2368	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 2368	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 2368	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 3264	1148	explorer.exe	spoolsv.exe
PID 1148 wrote to memory of 3264	1148	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\ab8b026c_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\ab8b026c_by_Libranalysis.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Local\Temp\ab8b026c_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\ab8b026c_by_Libranalysis.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4028

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:68

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7016

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6960

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7032

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7096

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7112

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7156

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4028

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6924

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6892

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:736

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6992

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6932

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3144

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3712

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7092

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3228

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3356

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1276

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7124

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:996

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:476

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1036

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4036

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3676

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3880

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:60

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3132

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4544

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2176

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4572

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4608

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4540

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4556

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2428

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4704

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2204

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4652

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2108

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2176

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2144

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4608

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4848

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:188

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4880

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3220

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1152

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4844

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4940

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4896

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4988

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1936

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1836

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:492

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:196

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5104

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1676

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2120

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5036

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4264

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:412

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2644

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4484

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5124

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4076

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5156

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4488

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5192

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5208

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5224

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5236

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5252

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4112

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2860

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5300

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4484

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:3648

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:3752

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
ab8b026c7402b5e0452ff0f915f2cb0f

SHA1
ca849caf19f9c87e2218f12d8c2c263f010b858f

SHA256
90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9

SHA512
c896a625314f135ec0854f2ef80574efc21926c46a04224e6fa3f75342c8647963ee3d7e7538b2ac5352f2ad62f20d9e0bb86c8233289f8bded6ca52830cbbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
099539bbe3b78999b5c4af02c924a8e7

SHA1
2bbedde73708be2e155cfad8c4dff596f533a383

SHA256
fa4a8076f90ccbeca0784232fcbfd4aa503e5e16e0a8ed7c7ef83e9caeaf2de7

SHA512
e98dde07043565f28816b1edbce08806a5e286b3ee006ae3a61c42a381b284b39ec70359bb4c683580760964e0fac11e69cb6710919499fa9357e3ede8cc9621

Download Submit
C:\Windows\System\explorer.exe
MD5
099539bbe3b78999b5c4af02c924a8e7

SHA1
2bbedde73708be2e155cfad8c4dff596f533a383

SHA256
fa4a8076f90ccbeca0784232fcbfd4aa503e5e16e0a8ed7c7ef83e9caeaf2de7

SHA512
e98dde07043565f28816b1edbce08806a5e286b3ee006ae3a61c42a381b284b39ec70359bb4c683580760964e0fac11e69cb6710919499fa9357e3ede8cc9621

Download Submit
C:\Windows\System\explorer.exe
MD5
099539bbe3b78999b5c4af02c924a8e7

SHA1
2bbedde73708be2e155cfad8c4dff596f533a383

SHA256
fa4a8076f90ccbeca0784232fcbfd4aa503e5e16e0a8ed7c7ef83e9caeaf2de7

SHA512
e98dde07043565f28816b1edbce08806a5e286b3ee006ae3a61c42a381b284b39ec70359bb4c683580760964e0fac11e69cb6710919499fa9357e3ede8cc9621

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
\??\c:\windows\system\explorer.exe
MD5
099539bbe3b78999b5c4af02c924a8e7

SHA1
2bbedde73708be2e155cfad8c4dff596f533a383

SHA256
fa4a8076f90ccbeca0784232fcbfd4aa503e5e16e0a8ed7c7ef83e9caeaf2de7

SHA512
e98dde07043565f28816b1edbce08806a5e286b3ee006ae3a61c42a381b284b39ec70359bb4c683580760964e0fac11e69cb6710919499fa9357e3ede8cc9621

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
2ea01528d94b1f93b7263dc394797ec9

SHA1
798da6cc47bc462e9eafb80c51f033704639add8

SHA256
af33f682a98336887899cefe774b1095fb351a46a0f759ada5afc7cbb2e50e9d

SHA512
db51f3d00ea25272196edd2493c7bae484a3ab81b2fd47ae84708791230e18477913e7a68a014667c453045de137aae379ee762f21f65e1707d9fef7edc9674c

Download Submit
memory/68-149-0x0000000000660000-0x00000000007AA000-memory.dmp

Filesize
1.3MB

Download
memory/68-144-0x0000000000000000-mapping.dmp

Download
memory/188-229-0x0000000000000000-mapping.dmp

Download
memory/188-232-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/396-204-0x0000000000000000-mapping.dmp

Download
memory/424-190-0x0000000000000000-mapping.dmp

Download
memory/424-198-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/496-199-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/496-192-0x0000000000000000-mapping.dmp

Download
memory/544-242-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/544-239-0x0000000000000000-mapping.dmp

Download
memory/692-162-0x0000000000000000-mapping.dmp

Download
memory/692-167-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/764-256-0x0000000000000000-mapping.dmp

Download
memory/764-262-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/788-234-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/788-227-0x0000000000000000-mapping.dmp

Download
memory/852-114-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/852-200-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/852-194-0x0000000000000000-mapping.dmp

Download
memory/1148-131-0x0000000000403670-mapping.dmp

Download
memory/1344-284-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1344-276-0x0000000000000000-mapping.dmp

Download
memory/1756-208-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1756-202-0x0000000000000000-mapping.dmp

Download
memory/1812-258-0x0000000000000000-mapping.dmp

Download
memory/1812-263-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/1816-246-0x0000000000000000-mapping.dmp

Download
memory/1816-254-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/1852-153-0x0000000000000000-mapping.dmp

Download
memory/1852-158-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1872-272-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1872-267-0x0000000000000000-mapping.dmp

Download
memory/1916-187-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1916-181-0x0000000000000000-mapping.dmp

Download
memory/1932-241-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1932-235-0x0000000000000000-mapping.dmp

Download
memory/2000-260-0x0000000000000000-mapping.dmp

Download
memory/2080-213-0x0000000000000000-mapping.dmp

Download
memory/2080-221-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2208-222-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2208-215-0x0000000000000000-mapping.dmp

Download
memory/2232-252-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2232-244-0x0000000000000000-mapping.dmp

Download
memory/2300-123-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2300-116-0x0000000000403670-mapping.dmp

Download
memory/2300-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2316-151-0x0000000000000000-mapping.dmp

Download
memory/2316-157-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2368-180-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2368-173-0x0000000000000000-mapping.dmp

Download
memory/2624-255-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2624-248-0x0000000000000000-mapping.dmp

Download
memory/2628-269-0x0000000000000000-mapping.dmp

Download
memory/2628-273-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2808-250-0x0000000000000000-mapping.dmp

Download
memory/2808-253-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/2856-166-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2856-160-0x0000000000000000-mapping.dmp

Download
memory/2948-179-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2948-171-0x0000000000000000-mapping.dmp

Download
memory/3152-168-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3152-164-0x0000000000000000-mapping.dmp

Download
memory/3164-233-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3164-225-0x0000000000000000-mapping.dmp

Download
memory/3264-178-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3264-175-0x0000000000000000-mapping.dmp

Download
memory/3356-185-0x0000000000000000-mapping.dmp

Download
memory/3356-189-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3600-206-0x0000000000000000-mapping.dmp

Download
memory/3600-210-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3644-201-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3644-196-0x0000000000000000-mapping.dmp

Download
memory/3648-136-0x0000000000411000-mapping.dmp

Download
memory/3708-265-0x0000000000000000-mapping.dmp

Download
memory/3708-271-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3752-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3752-124-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3752-118-0x0000000000411000-mapping.dmp

Download
memory/3820-147-0x0000000000000000-mapping.dmp

Download
memory/3820-150-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3844-159-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3844-155-0x0000000000000000-mapping.dmp

Download
memory/3928-231-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3928-223-0x0000000000000000-mapping.dmp

Download
memory/3932-219-0x0000000000570000-0x000000000061E000-memory.dmp

Filesize
696KB

Download
memory/3932-211-0x0000000000000000-mapping.dmp

Download
memory/3964-177-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3964-169-0x0000000000000000-mapping.dmp

Download
memory/3996-237-0x0000000000000000-mapping.dmp

Download
memory/3996-243-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4024-282-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4024-274-0x0000000000000000-mapping.dmp

Download
memory/4028-126-0x0000000000000000-mapping.dmp

Download
memory/4028-129-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4044-183-0x0000000000000000-mapping.dmp

Download
memory/4044-188-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4072-220-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4072-217-0x0000000000000000-mapping.dmp

Download
memory/4120-285-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4120-278-0x0000000000000000-mapping.dmp

Download
memory/4144-280-0x0000000000000000-mapping.dmp

Download
memory/4184-286-0x0000000000000000-mapping.dmp

Download
memory/4184-292-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4208-288-0x0000000000000000-mapping.dmp

Download
memory/4208-293-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/4232-294-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4232-290-0x0000000000000000-mapping.dmp

Download
memory/4268-303-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4268-295-0x0000000000000000-mapping.dmp

Download
memory/4292-297-0x0000000000000000-mapping.dmp

Download
memory/4292-305-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4316-299-0x0000000000000000-mapping.dmp

Download
memory/4316-306-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4340-304-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/4340-301-0x0000000000000000-mapping.dmp

Download
memory/4380-307-0x0000000000000000-mapping.dmp

Download
memory/4380-315-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4404-309-0x0000000000000000-mapping.dmp

Download
memory/4404-317-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/4432-311-0x0000000000000000-mapping.dmp

Download
memory/4432-318-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4456-313-0x0000000000000000-mapping.dmp

Download
memory/4456-316-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4496-319-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads