warzonerat | 926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea

Analysis

max time kernel
143s
max time network
10s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
Size

1.8MB
MD5

bc4a2d6d59a0aee1a434e93f5d59019a
SHA1

2403a1c0017b46d2357f3730b9d5c16fa7284a28
SHA256

926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea
SHA512

5b808a743ed3663656417dc23b9614dc89ab25c5814040f76afa356659ce3614431a2580963e977c9169d262ba80a4238d70ab53b7317f1b6003fd5111e8ba47

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
300	explorer.exe
580	explorer.exe
1064	spoolsv.exe
1496	spoolsv.exe
700	spoolsv.exe
436	spoolsv.exe
1760	spoolsv.exe
1600	spoolsv.exe
1916	spoolsv.exe
1920	spoolsv.exe
2032	spoolsv.exe
920	spoolsv.exe
1212	spoolsv.exe
484	spoolsv.exe
1012	spoolsv.exe
396	spoolsv.exe
1564	spoolsv.exe
1392	spoolsv.exe
1612	spoolsv.exe
1636	spoolsv.exe
560	spoolsv.exe
548	spoolsv.exe
608	spoolsv.exe
1828	spoolsv.exe
1108	spoolsv.exe
1744	spoolsv.exe
1336	spoolsv.exe
1740	spoolsv.exe
2012	spoolsv.exe
1928	spoolsv.exe
1196	spoolsv.exe
952	spoolsv.exe
1368	spoolsv.exe
628	spoolsv.exe
884	spoolsv.exe
112	spoolsv.exe
832	spoolsv.exe
828	spoolsv.exe
1792	spoolsv.exe
880	spoolsv.exe
300	spoolsv.exe
956	spoolsv.exe
928	spoolsv.exe
1164	spoolsv.exe
1864	spoolsv.exe
268	spoolsv.exe
1984	spoolsv.exe
1684	spoolsv.exe
988	spoolsv.exe
1296	spoolsv.exe
916	spoolsv.exe
1568	spoolsv.exe
1580	spoolsv.exe
1692	spoolsv.exe
692	spoolsv.exe
1800	spoolsv.exe
1096	spoolsv.exe
1032	spoolsv.exe
1944	spoolsv.exe
296	spoolsv.exe
2016	spoolsv.exe
1300	spoolsv.exe
2040	spoolsv.exe
968	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exeexplorer.exe

pid	process
1548	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
1548	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 62 IoCs

Processes:

926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 484 set thread context of 1548	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 484 set thread context of 1284	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	diskperf.exe
PID 300 set thread context of 580	300	explorer.exe	explorer.exe
PID 300 set thread context of 340	300	explorer.exe	diskperf.exe
PID 1064 set thread context of 3168	1064	spoolsv.exe	spoolsv.exe
PID 1064 set thread context of 3176	1064	spoolsv.exe	diskperf.exe
PID 1496 set thread context of 3208	1496	spoolsv.exe	spoolsv.exe
PID 1496 set thread context of 3216	1496	spoolsv.exe	diskperf.exe
PID 700 set thread context of 3244	700	spoolsv.exe	spoolsv.exe
PID 700 set thread context of 3252	700	spoolsv.exe	diskperf.exe
PID 436 set thread context of 3280	436	spoolsv.exe	spoolsv.exe
PID 436 set thread context of 3288	436	spoolsv.exe	diskperf.exe
PID 1760 set thread context of 3316	1760	spoolsv.exe	spoolsv.exe
PID 1760 set thread context of 3324	1760	spoolsv.exe	diskperf.exe
PID 1600 set thread context of 3344	1600	spoolsv.exe	spoolsv.exe
PID 1600 set thread context of 3352	1600	spoolsv.exe	diskperf.exe
PID 1916 set thread context of 3380	1916	spoolsv.exe	spoolsv.exe
PID 1916 set thread context of 3388	1916	spoolsv.exe	diskperf.exe
PID 1920 set thread context of 3412	1920	spoolsv.exe	spoolsv.exe
PID 1920 set thread context of 3420	1920	spoolsv.exe	diskperf.exe
PID 2032 set thread context of 3448	2032	spoolsv.exe	spoolsv.exe
PID 2032 set thread context of 3456	2032	spoolsv.exe	diskperf.exe
PID 920 set thread context of 3484	920	spoolsv.exe	spoolsv.exe
PID 920 set thread context of 3492	920	spoolsv.exe	diskperf.exe
PID 1212 set thread context of 3520	1212	spoolsv.exe	spoolsv.exe
PID 1212 set thread context of 3528	1212	spoolsv.exe	diskperf.exe
PID 484 set thread context of 3556	484	spoolsv.exe	spoolsv.exe
PID 484 set thread context of 3564	484	spoolsv.exe	diskperf.exe
PID 1012 set thread context of 3592	1012	spoolsv.exe	spoolsv.exe
PID 1012 set thread context of 3600	1012	spoolsv.exe	diskperf.exe
PID 396 set thread context of 3624	396	spoolsv.exe	spoolsv.exe
PID 396 set thread context of 3632	396	spoolsv.exe	diskperf.exe
PID 1564 set thread context of 3656	1564	spoolsv.exe	spoolsv.exe
PID 1564 set thread context of 3664	1564	spoolsv.exe	diskperf.exe
PID 1392 set thread context of 3692	1392	spoolsv.exe	spoolsv.exe
PID 1392 set thread context of 3700	1392	spoolsv.exe	diskperf.exe
PID 1612 set thread context of 3720	1612	spoolsv.exe	spoolsv.exe
PID 1612 set thread context of 3728	1612	spoolsv.exe	diskperf.exe
PID 1636 set thread context of 3748	1636	spoolsv.exe	spoolsv.exe
PID 1636 set thread context of 3756	1636	spoolsv.exe	diskperf.exe
PID 560 set thread context of 3784	560	spoolsv.exe	spoolsv.exe
PID 560 set thread context of 3792	560	spoolsv.exe	diskperf.exe
PID 548 set thread context of 3812	548	spoolsv.exe	spoolsv.exe
PID 548 set thread context of 3832	548	spoolsv.exe	diskperf.exe
PID 608 set thread context of 3840	608	spoolsv.exe	spoolsv.exe
PID 608 set thread context of 3848	608	spoolsv.exe	diskperf.exe
PID 1828 set thread context of 3868	1828	spoolsv.exe	spoolsv.exe
PID 1828 set thread context of 3876	1828	spoolsv.exe	diskperf.exe
PID 1108 set thread context of 3904	1108	spoolsv.exe	spoolsv.exe
PID 1108 set thread context of 3912	1108	spoolsv.exe	diskperf.exe
PID 1744 set thread context of 3920	1744	spoolsv.exe	spoolsv.exe
PID 1744 set thread context of 3928	1744	spoolsv.exe	diskperf.exe
PID 1336 set thread context of 3952	1336	spoolsv.exe	spoolsv.exe
PID 1336 set thread context of 3960	1336	spoolsv.exe	diskperf.exe
PID 1740 set thread context of 3968	1740	spoolsv.exe	spoolsv.exe
PID 2012 set thread context of 4000	2012	spoolsv.exe	spoolsv.exe
PID 2012 set thread context of 4008	2012	spoolsv.exe	diskperf.exe
PID 1740 set thread context of 3992	1740	spoolsv.exe	diskperf.exe
PID 1928 set thread context of 4028	1928	spoolsv.exe	spoolsv.exe
PID 1928 set thread context of 4036	1928	spoolsv.exe	diskperf.exe
PID 1196 set thread context of 4060	1196	spoolsv.exe	spoolsv.exe
PID 952 set thread context of 4068	952	spoolsv.exe	svchost.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exe926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exeexplorer.exe

pid	process
1548	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

580 explorer.exe

pid	process
580	explorer.exe

Suspicious use of SetWindowsHookEx 63 IoCs

Processes:

pid	process
1548	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
1548	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
580	explorer.exe
3168	spoolsv.exe
3168	spoolsv.exe
3208	spoolsv.exe
3208	spoolsv.exe
3244	spoolsv.exe
3244	spoolsv.exe
3280	spoolsv.exe
3280	spoolsv.exe
3316	spoolsv.exe
3316	spoolsv.exe
3344	spoolsv.exe
3344	spoolsv.exe
3380	spoolsv.exe
3380	spoolsv.exe
3412	spoolsv.exe
3412	spoolsv.exe
3448	spoolsv.exe
3448	spoolsv.exe
3484	spoolsv.exe
3484	spoolsv.exe
3520	spoolsv.exe
3520	spoolsv.exe
3556	spoolsv.exe
3556	spoolsv.exe
3592	spoolsv.exe
3592	spoolsv.exe
3624	spoolsv.exe
3624	spoolsv.exe
3656	spoolsv.exe
3656	spoolsv.exe
3692	spoolsv.exe
3692	spoolsv.exe
3720	spoolsv.exe
3720	spoolsv.exe
3748	spoolsv.exe
3748	spoolsv.exe
3784	spoolsv.exe
3784	spoolsv.exe
3812	spoolsv.exe
3812	spoolsv.exe
3840	spoolsv.exe
3840	spoolsv.exe
3868	spoolsv.exe
3868	spoolsv.exe
3904	spoolsv.exe
3904	spoolsv.exe
3920	spoolsv.exe
3920	spoolsv.exe
3952	spoolsv.exe
3952	spoolsv.exe
3968	spoolsv.exe
3968	spoolsv.exe
4000	spoolsv.exe
4000	spoolsv.exe
4028	spoolsv.exe
4028	spoolsv.exe
4060	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 484 wrote to memory of 1548	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 484 wrote to memory of 1548	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 484 wrote to memory of 1548	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 484 wrote to memory of 1548	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 484 wrote to memory of 1548	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 484 wrote to memory of 1548	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 484 wrote to memory of 1548	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 484 wrote to memory of 1548	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 484 wrote to memory of 1548	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 484 wrote to memory of 1284	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	diskperf.exe
PID 484 wrote to memory of 1284	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	diskperf.exe
PID 484 wrote to memory of 1284	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	diskperf.exe
PID 484 wrote to memory of 1284	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	diskperf.exe
PID 484 wrote to memory of 1284	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	diskperf.exe
PID 484 wrote to memory of 1284	484	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	diskperf.exe
PID 1548 wrote to memory of 300	1548	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	explorer.exe
PID 1548 wrote to memory of 300	1548	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	explorer.exe
PID 1548 wrote to memory of 300	1548	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	explorer.exe
PID 1548 wrote to memory of 300	1548	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	explorer.exe
PID 300 wrote to memory of 580	300	explorer.exe	explorer.exe
PID 300 wrote to memory of 580	300	explorer.exe	explorer.exe
PID 300 wrote to memory of 580	300	explorer.exe	explorer.exe
PID 300 wrote to memory of 580	300	explorer.exe	explorer.exe
PID 300 wrote to memory of 580	300	explorer.exe	explorer.exe
PID 300 wrote to memory of 580	300	explorer.exe	explorer.exe
PID 300 wrote to memory of 580	300	explorer.exe	explorer.exe
PID 300 wrote to memory of 580	300	explorer.exe	explorer.exe
PID 300 wrote to memory of 580	300	explorer.exe	explorer.exe
PID 300 wrote to memory of 340	300	explorer.exe	diskperf.exe
PID 300 wrote to memory of 340	300	explorer.exe	diskperf.exe
PID 300 wrote to memory of 340	300	explorer.exe	diskperf.exe
PID 300 wrote to memory of 340	300	explorer.exe	diskperf.exe
PID 300 wrote to memory of 340	300	explorer.exe	diskperf.exe
PID 300 wrote to memory of 340	300	explorer.exe	diskperf.exe
PID 580 wrote to memory of 1064	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1064	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1064	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1064	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1496	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1496	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1496	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1496	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 700	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 700	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 700	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 700	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 436	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 436	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 436	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 436	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1760	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1760	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1760	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1760	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1600	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1600	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1600	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1600	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1916	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1916	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1916	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1916	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1920	580	explorer.exe	spoolsv.exe
PID 580 wrote to memory of 1920	580	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
"C:\Users\Admin\AppData\Local\Temp\926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:484

C:\Users\Admin\AppData\Local\Temp\926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
"C:\Users\Admin\AppData\Local\Temp\926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1548

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:300

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3168

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3200

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3208

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3232

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3244

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3264

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3280

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3300

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3316

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3336

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3344

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3372

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3380

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3400

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3412

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3448

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3468

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3484

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3504

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3520

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3540

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3556

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3576

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3592

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3612

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3624

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3656

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3676

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3692

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3712

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3720

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3740

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3748

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3784

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:548

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3840

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3860

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3868

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3904

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3920

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1336

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3952

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3968

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4028

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4048

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4060

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3196

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4068

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4092

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3228

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:884

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3248

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3308

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3332

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3384

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3360

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3480

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:956

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3488

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3572

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3652

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3688

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3656

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3692

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3720

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3752

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3788

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:860

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1620

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1580

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3988

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1700

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4044

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:864

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4072

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1680

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3228

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2016

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3444

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3488

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2028

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1668

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:612

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3720

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1516

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3872

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1620

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:288

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4068

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3956

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1716

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1676

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1680

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:324

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1340

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1540

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3520

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3160

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:340

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1284

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3824

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3440

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
bc4a2d6d59a0aee1a434e93f5d59019a

SHA1
2403a1c0017b46d2357f3730b9d5c16fa7284a28

SHA256
926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea

SHA512
5b808a743ed3663656417dc23b9614dc89ab25c5814040f76afa356659ce3614431a2580963e977c9169d262ba80a4238d70ab53b7317f1b6003fd5111e8ba47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
6ca7561c3a4f3d3a70501cc4fb069a5f

SHA1
3c1cd493e16352bb09c169f44c46983d1b25a320

SHA256
c97f26a12465de7e927665974f46409b697e063d60d59708e6e9d65c71b42f7e

SHA512
74e2109c36fcd67e87a84b2463c78dbb4116c8101cdf160a180cf760f4a1eed20404a8cda54e7c134b7661a65403bed5e0e0f48964375a407c3d671ecf603938

Download Submit
C:\Windows\system\explorer.exe
MD5
6ca7561c3a4f3d3a70501cc4fb069a5f

SHA1
3c1cd493e16352bb09c169f44c46983d1b25a320

SHA256
c97f26a12465de7e927665974f46409b697e063d60d59708e6e9d65c71b42f7e

SHA512
74e2109c36fcd67e87a84b2463c78dbb4116c8101cdf160a180cf760f4a1eed20404a8cda54e7c134b7661a65403bed5e0e0f48964375a407c3d671ecf603938

Download Submit
C:\Windows\system\explorer.exe
MD5
6ca7561c3a4f3d3a70501cc4fb069a5f

SHA1
3c1cd493e16352bb09c169f44c46983d1b25a320

SHA256
c97f26a12465de7e927665974f46409b697e063d60d59708e6e9d65c71b42f7e

SHA512
74e2109c36fcd67e87a84b2463c78dbb4116c8101cdf160a180cf760f4a1eed20404a8cda54e7c134b7661a65403bed5e0e0f48964375a407c3d671ecf603938

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
C:\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\??\c:\windows\system\explorer.exe
MD5
6ca7561c3a4f3d3a70501cc4fb069a5f

SHA1
3c1cd493e16352bb09c169f44c46983d1b25a320

SHA256
c97f26a12465de7e927665974f46409b697e063d60d59708e6e9d65c71b42f7e

SHA512
74e2109c36fcd67e87a84b2463c78dbb4116c8101cdf160a180cf760f4a1eed20404a8cda54e7c134b7661a65403bed5e0e0f48964375a407c3d671ecf603938

Download Submit
\Windows\system\explorer.exe
MD5
6ca7561c3a4f3d3a70501cc4fb069a5f

SHA1
3c1cd493e16352bb09c169f44c46983d1b25a320

SHA256
c97f26a12465de7e927665974f46409b697e063d60d59708e6e9d65c71b42f7e

SHA512
74e2109c36fcd67e87a84b2463c78dbb4116c8101cdf160a180cf760f4a1eed20404a8cda54e7c134b7661a65403bed5e0e0f48964375a407c3d671ecf603938

Download Submit
\Windows\system\explorer.exe
MD5
6ca7561c3a4f3d3a70501cc4fb069a5f

SHA1
3c1cd493e16352bb09c169f44c46983d1b25a320

SHA256
c97f26a12465de7e927665974f46409b697e063d60d59708e6e9d65c71b42f7e

SHA512
74e2109c36fcd67e87a84b2463c78dbb4116c8101cdf160a180cf760f4a1eed20404a8cda54e7c134b7661a65403bed5e0e0f48964375a407c3d671ecf603938

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
\Windows\system\spoolsv.exe
MD5
13013cdbb65814164ecd8e63633b4ce6

SHA1
61f9e458dae4cd7460e1e25b2d365e40b20d418d

SHA256
c431e0a2f94edec59f5f72a686b062c46b8fcbf754ebac81959b3c7601d31e93

SHA512
a2c43a084ebff61a4e63fe76c231d87833d16939bc8e169e6054895093019562ba9b5af909b2bab409090c2726b5c60637e01098b2f635bb494ec750c09b2a24

Download Submit
memory/112-246-0x0000000000000000-mapping.dmp

Download
memory/268-279-0x0000000000000000-mapping.dmp

Download
memory/268-291-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/296-312-0x0000000000000000-mapping.dmp

Download
memory/300-262-0x0000000000000000-mapping.dmp

Download
memory/300-78-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/300-74-0x0000000000000000-mapping.dmp

Download
memory/340-86-0x0000000000411000-mapping.dmp

Download
memory/396-177-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/396-173-0x0000000000000000-mapping.dmp

Download
memory/436-127-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/436-112-0x0000000000000000-mapping.dmp

Download
memory/484-60-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/484-161-0x0000000000000000-mapping.dmp

Download
memory/484-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/548-207-0x0000000000000000-mapping.dmp

Download
memory/560-204-0x0000000000000000-mapping.dmp

Download
memory/560-214-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/580-81-0x0000000000403670-mapping.dmp

Download
memory/608-209-0x0000000000000000-mapping.dmp

Download
memory/628-242-0x0000000000000000-mapping.dmp

Download
memory/628-252-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/692-300-0x0000000000000000-mapping.dmp

Download
memory/700-107-0x0000000000000000-mapping.dmp

Download
memory/700-114-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/828-270-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/828-256-0x0000000000000000-mapping.dmp

Download
memory/832-248-0x0000000000000000-mapping.dmp

Download
memory/832-255-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/880-260-0x0000000000000000-mapping.dmp

Download
memory/880-272-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/884-244-0x0000000000000000-mapping.dmp

Download
memory/884-253-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/916-296-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/916-289-0x0000000000000000-mapping.dmp

Download
memory/920-149-0x0000000000000000-mapping.dmp

Download
memory/928-275-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/928-266-0x0000000000000000-mapping.dmp

Download
memory/952-238-0x0000000000000000-mapping.dmp

Download
memory/956-274-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/956-264-0x0000000000000000-mapping.dmp

Download
memory/988-285-0x0000000000000000-mapping.dmp

Download
memory/1012-176-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1012-168-0x0000000000000000-mapping.dmp

Download
memory/1032-310-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1032-303-0x0000000000000000-mapping.dmp

Download
memory/1064-96-0x0000000000000000-mapping.dmp

Download
memory/1096-302-0x0000000000000000-mapping.dmp

Download
memory/1108-218-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1108-213-0x0000000000000000-mapping.dmp

Download
memory/1164-268-0x0000000000000000-mapping.dmp

Download
memory/1196-230-0x0000000000000000-mapping.dmp

Download
memory/1196-237-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1212-156-0x0000000000000000-mapping.dmp

Download
memory/1212-164-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1284-67-0x0000000000411000-mapping.dmp

Download
memory/1284-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1284-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1296-295-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1296-287-0x0000000000000000-mapping.dmp

Download
memory/1336-222-0x0000000000000000-mapping.dmp

Download
memory/1336-233-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1368-240-0x0000000000000000-mapping.dmp

Download
memory/1392-185-0x0000000000000000-mapping.dmp

Download
memory/1392-199-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1412-315-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1496-101-0x0000000000000000-mapping.dmp

Download
memory/1496-113-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1548-63-0x0000000000403670-mapping.dmp

Download
memory/1548-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1548-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1564-187-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1564-180-0x0000000000000000-mapping.dmp

Download
memory/1568-297-0x0000000000000000-mapping.dmp

Download
memory/1568-304-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1580-298-0x0000000000000000-mapping.dmp

Download
memory/1600-129-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1600-124-0x0000000000000000-mapping.dmp

Download
memory/1612-191-0x0000000000000000-mapping.dmp

Download
memory/1612-200-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1636-201-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1636-196-0x0000000000000000-mapping.dmp

Download
memory/1684-293-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1684-283-0x0000000000000000-mapping.dmp

Download
memory/1692-306-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1692-299-0x0000000000000000-mapping.dmp

Download
memory/1740-224-0x0000000000000000-mapping.dmp

Download
memory/1740-234-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1744-220-0x0000000000000000-mapping.dmp

Download
memory/1744-232-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1760-119-0x0000000000000000-mapping.dmp

Download
memory/1760-128-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1792-258-0x0000000000000000-mapping.dmp

Download
memory/1800-301-0x0000000000000000-mapping.dmp

Download
memory/1828-211-0x0000000000000000-mapping.dmp

Download
memory/1864-277-0x0000000000000000-mapping.dmp

Download
memory/1864-290-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1916-143-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1916-132-0x0000000000000000-mapping.dmp

Download
memory/1920-137-0x0000000000000000-mapping.dmp

Download
memory/1920-144-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1928-236-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1928-228-0x0000000000000000-mapping.dmp

Download
memory/1944-311-0x0000000000000000-mapping.dmp

Download
memory/1944-314-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1984-292-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1984-281-0x0000000000000000-mapping.dmp

Download
memory/2012-235-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2012-226-0x0000000000000000-mapping.dmp

Download
memory/2016-313-0x0000000000000000-mapping.dmp

Download
memory/2032-142-0x0000000000000000-mapping.dmp

Download
memory/2032-152-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads