warzonerat | 926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea

Analysis

max time kernel
149s
max time network
144s
platform
windows10_x64
resource
win10v20210408
submitted
05-05-2021 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
Size

1.8MB
MD5

bc4a2d6d59a0aee1a434e93f5d59019a
SHA1

2403a1c0017b46d2357f3730b9d5c16fa7284a28
SHA256

926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea
SHA512

5b808a743ed3663656417dc23b9614dc89ab25c5814040f76afa356659ce3614431a2580963e977c9169d262ba80a4238d70ab53b7317f1b6003fd5111e8ba47

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4016	explorer.exe
3648	explorer.exe
2392	spoolsv.exe
2544	spoolsv.exe
3556	spoolsv.exe
3744	spoolsv.exe
3696	spoolsv.exe
1920	spoolsv.exe
2856	spoolsv.exe
740	spoolsv.exe
2208	spoolsv.exe
1088	spoolsv.exe
3964	spoolsv.exe
2116	spoolsv.exe
736	spoolsv.exe
1620	spoolsv.exe
1012	spoolsv.exe
4064	spoolsv.exe
2212	spoolsv.exe
3656	spoolsv.exe
1136	spoolsv.exe
2080	spoolsv.exe
2560	spoolsv.exe
2876	spoolsv.exe
3992	spoolsv.exe
3236	spoolsv.exe
636	spoolsv.exe
4016	spoolsv.exe
3864	spoolsv.exe
2532	spoolsv.exe
2752	spoolsv.exe
2904	spoolsv.exe
748	spoolsv.exe
1224	spoolsv.exe
3720	spoolsv.exe
4072	spoolsv.exe
3576	spoolsv.exe
2556	spoolsv.exe
1292	spoolsv.exe
1752	spoolsv.exe
2044	spoolsv.exe
3584	spoolsv.exe
2084	spoolsv.exe
2480	spoolsv.exe
2156	spoolsv.exe
3560	spoolsv.exe
2120	spoolsv.exe
2204	spoolsv.exe
3168	spoolsv.exe
4116	spoolsv.exe
4152	spoolsv.exe
4176	spoolsv.exe
4200	spoolsv.exe
4236	spoolsv.exe
4260	spoolsv.exe
4284	spoolsv.exe
4320	spoolsv.exe
4344	spoolsv.exe
4368	spoolsv.exe
4392	spoolsv.exe
4432	spoolsv.exe
4452	spoolsv.exe
4468	spoolsv.exe
4484	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exe926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 584 set thread context of 2556	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 584 set thread context of 3676	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	diskperf.exe
PID 4016 set thread context of 3648	4016	explorer.exe	explorer.exe
PID 4016 set thread context of 3880	4016	explorer.exe	diskperf.exe
PID 2392 set thread context of 6520	2392	spoolsv.exe	spoolsv.exe
PID 2392 set thread context of 6536	2392	spoolsv.exe	diskperf.exe
PID 2544 set thread context of 6620	2544	spoolsv.exe	spoolsv.exe
PID 2544 set thread context of 6636	2544	spoolsv.exe	diskperf.exe
PID 3556 set thread context of 6688	3556	spoolsv.exe	spoolsv.exe
PID 3556 set thread context of 6712	3556	spoolsv.exe	diskperf.exe
PID 3744 set thread context of 6748	3744	spoolsv.exe	spoolsv.exe
PID 3696 set thread context of 6780	3696	spoolsv.exe	spoolsv.exe
PID 1920 set thread context of 6820	1920	spoolsv.exe	spoolsv.exe
PID 3696 set thread context of 6844	3696	spoolsv.exe	diskperf.exe
PID 2856 set thread context of 6888	2856	spoolsv.exe	spoolsv.exe
PID 1920 set thread context of 6880	1920	spoolsv.exe	diskperf.exe
PID 740 set thread context of 6964	740	spoolsv.exe	spoolsv.exe
PID 2208 set thread context of 6980	2208	spoolsv.exe	spoolsv.exe
PID 2208 set thread context of 7028	2208	spoolsv.exe	diskperf.exe
PID 1088 set thread context of 7040	1088	spoolsv.exe	spoolsv.exe
PID 740 set thread context of 7012	740	spoolsv.exe	diskperf.exe
PID 1088 set thread context of 7080	1088	spoolsv.exe	diskperf.exe
PID 3964 set thread context of 7108	3964	spoolsv.exe	spoolsv.exe
PID 3964 set thread context of 7116	3964	spoolsv.exe	diskperf.exe
PID 2116 set thread context of 7164	2116	spoolsv.exe	spoolsv.exe
PID 736 set thread context of 6584	736	spoolsv.exe	spoolsv.exe
PID 736 set thread context of 2484	736	spoolsv.exe	diskperf.exe
PID 1620 set thread context of 6624	1620	spoolsv.exe	spoolsv.exe
PID 1620 set thread context of 6592	1620	spoolsv.exe	diskperf.exe
PID 1012 set thread context of 6732	1012	spoolsv.exe	spoolsv.exe
PID 4064 set thread context of 6692	4064	spoolsv.exe	spoolsv.exe
PID 4064 set thread context of 6832	4064	spoolsv.exe	diskperf.exe
PID 2212 set thread context of 6916	2212	spoolsv.exe	spoolsv.exe
PID 2212 set thread context of 6896	2212	spoolsv.exe	diskperf.exe
PID 3656 set thread context of 6784	3656	spoolsv.exe	spoolsv.exe
PID 3656 set thread context of 6912	3656	spoolsv.exe	diskperf.exe
PID 1136 set thread context of 3592	1136	spoolsv.exe	spoolsv.exe
PID 1136 set thread context of 7000	1136	spoolsv.exe	diskperf.exe
PID 2080 set thread context of 7052	2080	spoolsv.exe	spoolsv.exe
PID 2080 set thread context of 1448	2080	spoolsv.exe	diskperf.exe
PID 2560 set thread context of 976	2560	spoolsv.exe	spoolsv.exe
PID 2560 set thread context of 7092	2560	spoolsv.exe	diskperf.exe
PID 2876 set thread context of 3132	2876	spoolsv.exe	spoolsv.exe
PID 2876 set thread context of 3232	2876	spoolsv.exe	diskperf.exe
PID 3992 set thread context of 7112	3992	spoolsv.exe	spoolsv.exe
PID 3236 set thread context of 6544	3236	spoolsv.exe	spoolsv.exe
PID 3236 set thread context of 3912	3236	spoolsv.exe	diskperf.exe
PID 636 set thread context of 1764	636	spoolsv.exe	spoolsv.exe
PID 636 set thread context of 6728	636	spoolsv.exe	diskperf.exe
PID 4016 set thread context of 6804	4016	spoolsv.exe	spoolsv.exe
PID 3864 set thread context of 752	3864	spoolsv.exe	spoolsv.exe
PID 2532 set thread context of 6948	2532	spoolsv.exe	spoolsv.exe
PID 2752 set thread context of 7008	2752	spoolsv.exe	spoolsv.exe
PID 2752 set thread context of 4048	2752	spoolsv.exe	diskperf.exe
PID 2904 set thread context of 504	2904	spoolsv.exe	spoolsv.exe
PID 2904 set thread context of 2564	2904	spoolsv.exe	diskperf.exe
PID 748 set thread context of 2880	748	spoolsv.exe	spoolsv.exe
PID 748 set thread context of 3184	748	spoolsv.exe	diskperf.exe
PID 1224 set thread context of 2920	1224	spoolsv.exe	spoolsv.exe
PID 1224 set thread context of 7132	1224	spoolsv.exe	diskperf.exe
PID 3720 set thread context of 732	3720	spoolsv.exe	spoolsv.exe
PID 3720 set thread context of 6544	3720	spoolsv.exe	diskperf.exe
PID 4072 set thread context of 4560	4072	spoolsv.exe	spoolsv.exe
PID 4072 set thread context of 6736	4072	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exeexplorer.exe

pid	process
2556	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
2556	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3648 explorer.exe

pid	process
3648	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2556	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
2556	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
3648	explorer.exe
6520	spoolsv.exe
6520	spoolsv.exe
6620	spoolsv.exe
6620	spoolsv.exe
6688	spoolsv.exe
6688	spoolsv.exe
6748	spoolsv.exe
6780	spoolsv.exe
6748	spoolsv.exe
6820	spoolsv.exe
6780	spoolsv.exe
6888	spoolsv.exe
6820	spoolsv.exe
6888	spoolsv.exe
6964	spoolsv.exe
6980	spoolsv.exe
6964	spoolsv.exe
7040	spoolsv.exe
7040	spoolsv.exe
6980	spoolsv.exe
7108	spoolsv.exe
7108	spoolsv.exe
7164	spoolsv.exe
7164	spoolsv.exe
6584	spoolsv.exe
6584	spoolsv.exe
6624	spoolsv.exe
6624	spoolsv.exe
6732	spoolsv.exe
6732	spoolsv.exe
6692	spoolsv.exe
6692	spoolsv.exe
6916	spoolsv.exe
6916	spoolsv.exe
6784	spoolsv.exe
6784	spoolsv.exe
3592	spoolsv.exe
3592	spoolsv.exe
7052	spoolsv.exe
7052	spoolsv.exe
976	spoolsv.exe
976	spoolsv.exe
3132	spoolsv.exe
3132	spoolsv.exe
7112	spoolsv.exe
7112	spoolsv.exe
6544	spoolsv.exe
6544	spoolsv.exe
1764	spoolsv.exe
1764	spoolsv.exe
6804	spoolsv.exe
6804	spoolsv.exe
752	spoolsv.exe
752	spoolsv.exe
6948	spoolsv.exe
6948	spoolsv.exe
7008	spoolsv.exe
7008	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 584 wrote to memory of 2556	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 584 wrote to memory of 2556	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 584 wrote to memory of 2556	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 584 wrote to memory of 2556	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 584 wrote to memory of 2556	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 584 wrote to memory of 2556	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 584 wrote to memory of 2556	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 584 wrote to memory of 2556	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
PID 584 wrote to memory of 3676	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	diskperf.exe
PID 584 wrote to memory of 3676	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	diskperf.exe
PID 584 wrote to memory of 3676	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	diskperf.exe
PID 584 wrote to memory of 3676	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	diskperf.exe
PID 584 wrote to memory of 3676	584	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	diskperf.exe
PID 2556 wrote to memory of 4016	2556	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	explorer.exe
PID 2556 wrote to memory of 4016	2556	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	explorer.exe
PID 2556 wrote to memory of 4016	2556	926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe	explorer.exe
PID 4016 wrote to memory of 3648	4016	explorer.exe	explorer.exe
PID 4016 wrote to memory of 3648	4016	explorer.exe	explorer.exe
PID 4016 wrote to memory of 3648	4016	explorer.exe	explorer.exe
PID 4016 wrote to memory of 3648	4016	explorer.exe	explorer.exe
PID 4016 wrote to memory of 3648	4016	explorer.exe	explorer.exe
PID 4016 wrote to memory of 3648	4016	explorer.exe	explorer.exe
PID 4016 wrote to memory of 3648	4016	explorer.exe	explorer.exe
PID 4016 wrote to memory of 3648	4016	explorer.exe	explorer.exe
PID 4016 wrote to memory of 3880	4016	explorer.exe	diskperf.exe
PID 4016 wrote to memory of 3880	4016	explorer.exe	diskperf.exe
PID 4016 wrote to memory of 3880	4016	explorer.exe	diskperf.exe
PID 4016 wrote to memory of 3880	4016	explorer.exe	diskperf.exe
PID 4016 wrote to memory of 3880	4016	explorer.exe	diskperf.exe
PID 3648 wrote to memory of 2392	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 2392	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 2392	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 2544	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 2544	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 2544	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 3556	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 3556	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 3556	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 3744	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 3744	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 3744	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 3696	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 3696	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 3696	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 1920	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 1920	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 1920	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 2856	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 2856	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 2856	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 740	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 740	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 740	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 2208	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 2208	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 2208	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 1088	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 1088	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 1088	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 3964	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 3964	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 3964	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 2116	3648	explorer.exe	spoolsv.exe
PID 3648 wrote to memory of 2116	3648	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
"C:\Users\Admin\AppData\Local\Temp\926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Temp\926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe
"C:\Users\Admin\AppData\Local\Temp\926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4016

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6520

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6656

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6620

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6688

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6780

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6964

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6980

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7040

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7108

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7140

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7164

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6564

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6584

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2300

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6624

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6700

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6732

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6692

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6916

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6908

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6784

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6836

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3592

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7052

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7036

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:976

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2664

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3132

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2200

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7112

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3848

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6544

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2568

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1764

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6804

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4256

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:752

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6860

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6948

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7008

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:504

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4408

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2880

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7124

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2920

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3684

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:732

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4540

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4560

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2432

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3540

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1748

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4636

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4668

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1264

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2124

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4060

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4732

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:504

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4768

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4816

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4828

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1248

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3680

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4592

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1268

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2144

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3540

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4956

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4972

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:3880

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:3676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
bc4a2d6d59a0aee1a434e93f5d59019a

SHA1
2403a1c0017b46d2357f3730b9d5c16fa7284a28

SHA256
926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea

SHA512
5b808a743ed3663656417dc23b9614dc89ab25c5814040f76afa356659ce3614431a2580963e977c9169d262ba80a4238d70ab53b7317f1b6003fd5111e8ba47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
5d3e1525c906100bea9f99012e5cdc8b

SHA1
950368ec06c1464110ad087de3ae0422ee0fadaf

SHA256
ea84df56f37ef1c2c22e2ad6c40f307063c03dce911f0ea174c696a4beb3f6b8

SHA512
7763fdc4de2043a87ca27142083578589ac6ca383eed8013dbf5d5e1adc0b3a950d97af89ac9eb0e7f48cda468af8b7c0a1d6893887eb0a750d3320287124818

Download Submit
C:\Windows\System\explorer.exe
MD5
5d3e1525c906100bea9f99012e5cdc8b

SHA1
950368ec06c1464110ad087de3ae0422ee0fadaf

SHA256
ea84df56f37ef1c2c22e2ad6c40f307063c03dce911f0ea174c696a4beb3f6b8

SHA512
7763fdc4de2043a87ca27142083578589ac6ca383eed8013dbf5d5e1adc0b3a950d97af89ac9eb0e7f48cda468af8b7c0a1d6893887eb0a750d3320287124818

Download Submit
C:\Windows\System\explorer.exe
MD5
5d3e1525c906100bea9f99012e5cdc8b

SHA1
950368ec06c1464110ad087de3ae0422ee0fadaf

SHA256
ea84df56f37ef1c2c22e2ad6c40f307063c03dce911f0ea174c696a4beb3f6b8

SHA512
7763fdc4de2043a87ca27142083578589ac6ca383eed8013dbf5d5e1adc0b3a950d97af89ac9eb0e7f48cda468af8b7c0a1d6893887eb0a750d3320287124818

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
C:\Windows\System\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
\??\c:\windows\system\explorer.exe
MD5
5d3e1525c906100bea9f99012e5cdc8b

SHA1
950368ec06c1464110ad087de3ae0422ee0fadaf

SHA256
ea84df56f37ef1c2c22e2ad6c40f307063c03dce911f0ea174c696a4beb3f6b8

SHA512
7763fdc4de2043a87ca27142083578589ac6ca383eed8013dbf5d5e1adc0b3a950d97af89ac9eb0e7f48cda468af8b7c0a1d6893887eb0a750d3320287124818

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
4076db26b91e9651c7f0bce193a125e3

SHA1
d03c8396e96186621435e27c1984b2b8911b4075

SHA256
562fd6a0b8f19ad89a1a37f155b33d8fdf689f16dfce65e30bdc3f298f0a9137

SHA512
357fa4c3e5cfe0da2df25246159ef5c78f74521696e4c0d656cb4ff7b980eb6cd1f669760f6661b2134c3daff6ebe85727a485a8215ec1e8025ee414faad9ee3

Download Submit
memory/584-114-0x00000000005B0000-0x000000000065E000-memory.dmp

Filesize
696KB

Download
memory/636-223-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/636-217-0x0000000000000000-mapping.dmp

Download
memory/736-187-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/736-181-0x0000000000000000-mapping.dmp

Download
memory/740-165-0x0000000000000000-mapping.dmp

Download
memory/740-171-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/748-235-0x0000000000000000-mapping.dmp

Download
memory/748-241-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1012-189-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/1012-185-0x0000000000000000-mapping.dmp

Download
memory/1088-174-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1088-170-0x0000000000000000-mapping.dmp

Download
memory/1136-205-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/1136-199-0x0000000000000000-mapping.dmp

Download
memory/1224-242-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/1224-237-0x0000000000000000-mapping.dmp

Download
memory/1292-259-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1292-253-0x0000000000000000-mapping.dmp

Download
memory/1620-188-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1620-183-0x0000000000000000-mapping.dmp

Download
memory/1752-255-0x0000000000000000-mapping.dmp

Download
memory/1752-260-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1920-157-0x0000000000000000-mapping.dmp

Download
memory/1920-160-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2044-257-0x0000000000000000-mapping.dmp

Download
memory/2080-206-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2080-201-0x0000000000000000-mapping.dmp

Download
memory/2084-270-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2084-264-0x0000000000000000-mapping.dmp

Download
memory/2116-177-0x0000000000000000-mapping.dmp

Download
memory/2116-180-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2120-275-0x0000000000000000-mapping.dmp

Download
memory/2120-279-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2156-277-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2156-271-0x0000000000000000-mapping.dmp

Download
memory/2204-280-0x0000000000000000-mapping.dmp

Download
memory/2204-286-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/2208-173-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2208-167-0x0000000000000000-mapping.dmp

Download
memory/2212-197-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2212-192-0x0000000000000000-mapping.dmp

Download
memory/2392-149-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2392-144-0x0000000000000000-mapping.dmp

Download
memory/2480-266-0x0000000000000000-mapping.dmp

Download
memory/2480-269-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2532-232-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2532-226-0x0000000000000000-mapping.dmp

Download
memory/2544-150-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2544-147-0x0000000000000000-mapping.dmp

Download
memory/2556-248-0x0000000000000000-mapping.dmp

Download
memory/2556-116-0x0000000000403670-mapping.dmp

Download
memory/2556-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2556-252-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2556-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2560-207-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2560-203-0x0000000000000000-mapping.dmp

Download
memory/2752-228-0x0000000000000000-mapping.dmp

Download
memory/2752-233-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2856-169-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2856-163-0x0000000000000000-mapping.dmp

Download
memory/2876-208-0x0000000000000000-mapping.dmp

Download
memory/2876-214-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2904-230-0x0000000000000000-mapping.dmp

Download
memory/2904-234-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/3168-282-0x0000000000000000-mapping.dmp

Download
memory/3168-288-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3236-212-0x0000000000000000-mapping.dmp

Download
memory/3236-216-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3556-159-0x0000000000570000-0x000000000061E000-memory.dmp

Filesize
696KB

Download
memory/3556-151-0x0000000000000000-mapping.dmp

Download
memory/3560-278-0x00000000005B0000-0x00000000006FA000-memory.dmp

Filesize
1.3MB

Download
memory/3560-273-0x0000000000000000-mapping.dmp

Download
memory/3576-251-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/3576-246-0x0000000000000000-mapping.dmp

Download
memory/3584-262-0x0000000000000000-mapping.dmp

Download
memory/3584-268-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3648-131-0x0000000000403670-mapping.dmp

Download
memory/3656-194-0x0000000000000000-mapping.dmp

Download
memory/3676-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3676-118-0x0000000000411000-mapping.dmp

Download
memory/3676-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3696-155-0x0000000000000000-mapping.dmp

Download
memory/3696-162-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3720-239-0x0000000000000000-mapping.dmp

Download
memory/3720-243-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3744-161-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3744-153-0x0000000000000000-mapping.dmp

Download
memory/3864-224-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3864-221-0x0000000000000000-mapping.dmp

Download
memory/3880-136-0x0000000000411000-mapping.dmp

Download
memory/3964-179-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/3964-175-0x0000000000000000-mapping.dmp

Download
memory/3992-210-0x0000000000000000-mapping.dmp

Download
memory/3992-215-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/4016-225-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4016-219-0x0000000000000000-mapping.dmp

Download
memory/4016-129-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4016-124-0x0000000000000000-mapping.dmp

Download
memory/4064-196-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/4064-190-0x0000000000000000-mapping.dmp

Download
memory/4072-250-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4072-244-0x0000000000000000-mapping.dmp

Download
memory/4116-287-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/4116-284-0x0000000000000000-mapping.dmp

Download
memory/4152-295-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4152-289-0x0000000000000000-mapping.dmp

Download
memory/4176-291-0x0000000000000000-mapping.dmp

Download
memory/4176-297-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4200-293-0x0000000000000000-mapping.dmp

Download
memory/4200-296-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4236-304-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4236-298-0x0000000000000000-mapping.dmp

Download
memory/4260-300-0x0000000000000000-mapping.dmp

Download
memory/4260-305-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4284-302-0x0000000000000000-mapping.dmp

Download
memory/4284-306-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4320-307-0x0000000000000000-mapping.dmp

Download
memory/4320-315-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4344-309-0x0000000000000000-mapping.dmp

Download
memory/4344-317-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4368-311-0x0000000000000000-mapping.dmp

Download
memory/4368-318-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4392-313-0x0000000000000000-mapping.dmp

Download
memory/4392-316-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4432-319-0x0000000000000000-mapping.dmp

Download