warzonerat | 9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524

Analysis

max time kernel
143s
max time network
111s
platform
windows10_x64
resource
win10v20210410
submitted
17-05-2021 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
Size

1.8MB
MD5

6e947f1f8e276986babd6a0217bc3e58
SHA1

483a208c7678b2ea15793f43c2110780d94a7601
SHA256

9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524
SHA512

173a16f4d970cf3f3bd410d194309363c95c5b547f3a4657e0cbf6e337e699ab64989ca4a67907fb1011db1b64cfbb58fbc9297d89cd659f3ad7aa67495a7b23

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4044	explorer.exe
3968	explorer.exe
1572	spoolsv.exe
2212	spoolsv.exe
3668	spoolsv.exe
2584	spoolsv.exe
1444	spoolsv.exe
1548	spoolsv.exe
2288	spoolsv.exe
3184	spoolsv.exe
1424	spoolsv.exe
3228	spoolsv.exe
2328	spoolsv.exe
2264	spoolsv.exe
420	spoolsv.exe
3148	spoolsv.exe
3188	spoolsv.exe
3692	spoolsv.exe
3808	spoolsv.exe
2152	spoolsv.exe
1468	spoolsv.exe
2320	spoolsv.exe
3168	spoolsv.exe
3944	spoolsv.exe
820	spoolsv.exe
2356	spoolsv.exe
2144	spoolsv.exe
3832	spoolsv.exe
1968	spoolsv.exe
2592	spoolsv.exe
4024	spoolsv.exe
3764	spoolsv.exe
2316	spoolsv.exe
3144	spoolsv.exe
1312	spoolsv.exe
3976	spoolsv.exe
1836	spoolsv.exe
368	spoolsv.exe
3948	spoolsv.exe
2672	spoolsv.exe
1804	spoolsv.exe
2084	spoolsv.exe
3980	spoolsv.exe
3856	spoolsv.exe
3844	spoolsv.exe
1840	spoolsv.exe
3496	spoolsv.exe
4104	spoolsv.exe
4132	spoolsv.exe
4172	spoolsv.exe
4196	spoolsv.exe
4220	spoolsv.exe
4244	spoolsv.exe
4284	spoolsv.exe
4308	spoolsv.exe
4332	spoolsv.exe
4356	spoolsv.exe
4396	spoolsv.exe
4420	spoolsv.exe
4444	spoolsv.exe
4468	spoolsv.exe
4500	spoolsv.exe
4516	spoolsv.exe
4532	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 3692 set thread context of 1172	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
PID 3692 set thread context of 3408	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	diskperf.exe
PID 4044 set thread context of 3968	4044	explorer.exe	explorer.exe
PID 4044 set thread context of 672	4044	explorer.exe	diskperf.exe
PID 1572 set thread context of 6896	1572	spoolsv.exe	spoolsv.exe
PID 1572 set thread context of 6912	1572	spoolsv.exe	diskperf.exe
PID 2212 set thread context of 6980	2212	spoolsv.exe	spoolsv.exe
PID 2212 set thread context of 7004	2212	spoolsv.exe	diskperf.exe
PID 3668 set thread context of 7072	3668	spoolsv.exe	spoolsv.exe
PID 3668 set thread context of 7084	3668	spoolsv.exe	diskperf.exe
PID 2584 set thread context of 7112	2584	spoolsv.exe	spoolsv.exe
PID 2584 set thread context of 7140	2584	spoolsv.exe	diskperf.exe
PID 1444 set thread context of 3592	1444	spoolsv.exe	spoolsv.exe
PID 1444 set thread context of 3564	1444	spoolsv.exe	diskperf.exe
PID 1548 set thread context of 6904	1548	spoolsv.exe	spoolsv.exe
PID 1548 set thread context of 4148	1548	spoolsv.exe	diskperf.exe
PID 2288 set thread context of 6920	2288	spoolsv.exe	spoolsv.exe
PID 2288 set thread context of 7096	2288	spoolsv.exe	diskperf.exe
PID 3184 set thread context of 7124	3184	spoolsv.exe	spoolsv.exe
PID 1424 set thread context of 7160	1424	spoolsv.exe	spoolsv.exe
PID 3228 set thread context of 7132	3228	spoolsv.exe	spoolsv.exe
PID 3228 set thread context of 1780	3228	spoolsv.exe	diskperf.exe
PID 2328 set thread context of 6956	2328	spoolsv.exe	spoolsv.exe
PID 2328 set thread context of 7016	2328	spoolsv.exe	diskperf.exe
PID 2264 set thread context of 7040	2264	spoolsv.exe	spoolsv.exe
PID 2264 set thread context of 7060	2264	spoolsv.exe	diskperf.exe
PID 420 set thread context of 7120	420	spoolsv.exe	diskperf.exe
PID 420 set thread context of 3164	420	spoolsv.exe	diskperf.exe
PID 3148 set thread context of 3256	3148	spoolsv.exe	spoolsv.exe
PID 3148 set thread context of 1100	3148	spoolsv.exe	diskperf.exe
PID 3188 set thread context of 1396	3188	spoolsv.exe	spoolsv.exe
PID 3188 set thread context of 4436	3188	spoolsv.exe	diskperf.exe
PID 3692 set thread context of 2200	3692	spoolsv.exe	spoolsv.exe
PID 3692 set thread context of 4484	3692	spoolsv.exe	diskperf.exe
PID 3808 set thread context of 4000	3808	spoolsv.exe	spoolsv.exe
PID 3808 set thread context of 7120	3808	spoolsv.exe	diskperf.exe
PID 2152 set thread context of 4556	2152	spoolsv.exe	spoolsv.exe
PID 2152 set thread context of 2576	2152	spoolsv.exe	diskperf.exe
PID 1468 set thread context of 4588	1468	spoolsv.exe	spoolsv.exe
PID 1468 set thread context of 1324	1468	spoolsv.exe	diskperf.exe
PID 2320 set thread context of 3964	2320	spoolsv.exe	spoolsv.exe
PID 3168 set thread context of 3836	3168	spoolsv.exe	spoolsv.exe
PID 3168 set thread context of 4656	3168	spoolsv.exe	diskperf.exe
PID 3944 set thread context of 4692	3944	spoolsv.exe	spoolsv.exe
PID 3944 set thread context of 4684	3944	spoolsv.exe	diskperf.exe
PID 820 set thread context of 4624	820	spoolsv.exe	spoolsv.exe
PID 820 set thread context of 4720	820	spoolsv.exe	diskperf.exe
PID 2356 set thread context of 4668	2356	spoolsv.exe	spoolsv.exe
PID 2356 set thread context of 4572	2356	spoolsv.exe	diskperf.exe
PID 2144 set thread context of 4588	2144	spoolsv.exe	svchost.exe
PID 2144 set thread context of 4608	2144	spoolsv.exe	diskperf.exe
PID 3832 set thread context of 4624	3832	spoolsv.exe	diskperf.exe
PID 3832 set thread context of 4820	3832	spoolsv.exe	diskperf.exe
PID 1968 set thread context of 4044	1968	spoolsv.exe	spoolsv.exe
PID 1968 set thread context of 3176	1968	spoolsv.exe	diskperf.exe
PID 2592 set thread context of 2368	2592	spoolsv.exe	spoolsv.exe
PID 4024 set thread context of 4620	4024	spoolsv.exe	spoolsv.exe
PID 4024 set thread context of 1892	4024	spoolsv.exe	diskperf.exe
PID 3764 set thread context of 4896	3764	spoolsv.exe	spoolsv.exe
PID 3764 set thread context of 4624	3764	spoolsv.exe	diskperf.exe
PID 2316 set thread context of 4848	2316	spoolsv.exe	diskperf.exe
PID 3144 set thread context of 4864	3144	spoolsv.exe	diskperf.exe
PID 3144 set thread context of 4948	3144	spoolsv.exe	diskperf.exe
PID 1312 set thread context of 2044	1312	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

spoolsv.exe9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exeexplorer.exe

pid	process
1172	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
1172	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3968 explorer.exe

pid	process
3968	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exediskperf.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exediskperf.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1172	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
1172	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
6896	spoolsv.exe
6896	spoolsv.exe
6980	spoolsv.exe
6980	spoolsv.exe
7072	spoolsv.exe
7112	spoolsv.exe
7072	spoolsv.exe
7112	spoolsv.exe
3592	spoolsv.exe
6904	spoolsv.exe
3592	spoolsv.exe
6904	spoolsv.exe
6920	spoolsv.exe
7124	spoolsv.exe
7124	spoolsv.exe
7160	spoolsv.exe
7160	spoolsv.exe
6920	spoolsv.exe
7132	spoolsv.exe
7132	spoolsv.exe
6956	spoolsv.exe
6956	spoolsv.exe
7040	spoolsv.exe
7040	spoolsv.exe
7120	diskperf.exe
7120	diskperf.exe
3256	spoolsv.exe
3256	spoolsv.exe
1396	spoolsv.exe
1396	spoolsv.exe
2200	spoolsv.exe
2200	spoolsv.exe
4000	spoolsv.exe
4000	spoolsv.exe
4556	spoolsv.exe
4556	spoolsv.exe
4588	spoolsv.exe
4588	spoolsv.exe
3964	spoolsv.exe
3964	spoolsv.exe
3836	spoolsv.exe
3836	spoolsv.exe
4692	spoolsv.exe
4692	spoolsv.exe
4624	spoolsv.exe
4624	spoolsv.exe
4668	spoolsv.exe
4668	spoolsv.exe
4588	svchost.exe
4588	svchost.exe
4624	diskperf.exe
4624	diskperf.exe
4044	spoolsv.exe
4044	spoolsv.exe
2368	spoolsv.exe
2368	spoolsv.exe
4620	spoolsv.exe
4620	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3692 wrote to memory of 1172	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
PID 3692 wrote to memory of 1172	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
PID 3692 wrote to memory of 1172	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
PID 3692 wrote to memory of 1172	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
PID 3692 wrote to memory of 1172	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
PID 3692 wrote to memory of 1172	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
PID 3692 wrote to memory of 1172	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
PID 3692 wrote to memory of 1172	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
PID 3692 wrote to memory of 3408	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	diskperf.exe
PID 3692 wrote to memory of 3408	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	diskperf.exe
PID 3692 wrote to memory of 3408	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	diskperf.exe
PID 3692 wrote to memory of 3408	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	diskperf.exe
PID 3692 wrote to memory of 3408	3692	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	diskperf.exe
PID 1172 wrote to memory of 4044	1172	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	explorer.exe
PID 1172 wrote to memory of 4044	1172	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	explorer.exe
PID 1172 wrote to memory of 4044	1172	9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe	explorer.exe
PID 4044 wrote to memory of 3968	4044	explorer.exe	explorer.exe
PID 4044 wrote to memory of 3968	4044	explorer.exe	explorer.exe
PID 4044 wrote to memory of 3968	4044	explorer.exe	explorer.exe
PID 4044 wrote to memory of 3968	4044	explorer.exe	explorer.exe
PID 4044 wrote to memory of 3968	4044	explorer.exe	explorer.exe
PID 4044 wrote to memory of 3968	4044	explorer.exe	explorer.exe
PID 4044 wrote to memory of 3968	4044	explorer.exe	explorer.exe
PID 4044 wrote to memory of 3968	4044	explorer.exe	explorer.exe
PID 4044 wrote to memory of 672	4044	explorer.exe	diskperf.exe
PID 4044 wrote to memory of 672	4044	explorer.exe	diskperf.exe
PID 4044 wrote to memory of 672	4044	explorer.exe	diskperf.exe
PID 4044 wrote to memory of 672	4044	explorer.exe	diskperf.exe
PID 4044 wrote to memory of 672	4044	explorer.exe	diskperf.exe
PID 3968 wrote to memory of 1572	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 1572	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 1572	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 2212	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 2212	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 2212	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 3668	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 3668	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 3668	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 2584	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 2584	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 2584	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 1444	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 1444	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 1444	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 1548	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 1548	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 1548	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 2288	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 2288	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 2288	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 3184	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 3184	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 3184	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 1424	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 1424	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 1424	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 3228	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 3228	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 3228	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 2328	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 2328	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 2328	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 2264	3968	explorer.exe	spoolsv.exe
PID 3968 wrote to memory of 2264	3968	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
"C:\Users\Admin\AppData\Local\Temp\9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Users\Admin\AppData\Local\Temp\9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe
  "C:\Users\Admin\AppData\Local\Temp\9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1172
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1572
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:6896
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7028
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2212
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6980
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3668
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7072
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2420
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2584
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7112
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1444
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3592
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2832
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1548
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6904
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2288
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6920
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3184
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7124
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1424
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7160
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3228
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7132
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2172
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2328
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6956
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4188
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2264
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7040
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6984
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:420
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7120
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1448
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3148
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3256
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7080
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3188
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4464
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3692
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2820
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3808
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4000
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1564
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2152
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4556
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3396
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1468
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4588
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4604
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2320
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3964
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3088
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3168
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3836
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2308
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3944
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4692
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4704
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:820
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4624
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3372
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2356
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4668
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1144
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2144
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4588
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4804
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3832
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4624
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4772
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1968
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4044
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1228
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2592
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3488
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4024
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4620
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4880
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3764
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4896
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2764
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2316
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4848
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4588
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3144
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4864
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3772
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1312
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2044
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4996
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3976
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2744
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2756
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1836
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4692
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2868
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:368
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4964
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5076
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3948
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2044
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5112
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2672
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2744
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:584
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1804
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4156
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5060
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2084
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4180
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4896
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3980
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3716
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4848
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3856
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3996
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:644
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3844
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4408
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4180
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1840
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3180
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3716
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3496
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2256
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5176
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4104
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4492
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2952
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4132
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:912
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2244
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4172
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3828
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4128
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4196
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5192
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3180
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4220
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5240
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3996
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4244
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3828
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4492
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4284
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4224
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4176
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4308
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5388
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5340
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4332
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5420
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5432
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4356
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4212
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4240
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4396
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5484
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5400
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4420
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5524
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5464
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4444
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5556
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5576
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4468
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4448
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5556
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4500
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7180
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7208
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4516
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7224
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4532
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7252
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7280
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4548
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7300
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4564
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7324
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7356
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4580
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7376
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7408
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4596
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7384
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4612
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7464
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7488
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4628
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7512
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4644
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7528
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4660
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7580
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7604
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4676
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7624
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4696
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7644
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4712
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7692
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7720
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4728
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7744
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4744
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7776
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4760
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7784
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4776
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7840
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4792
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7848
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4808
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7896
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7924
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6992
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:672
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:3408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
6e947f1f8e276986babd6a0217bc3e58

SHA1
483a208c7678b2ea15793f43c2110780d94a7601

SHA256
9ee58cd9c97a6ccd948fa6fec29b06ca6816ee271f3674952cc9e64abf158524

SHA512
173a16f4d970cf3f3bd410d194309363c95c5b547f3a4657e0cbf6e337e699ab64989ca4a67907fb1011db1b64cfbb58fbc9297d89cd659f3ad7aa67495a7b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
25fac1dfb6684eb2484ac98682a06547

SHA1
b94fac5bbbd8de5db716dca5ce8d3d3083591728

SHA256
b6837255fbcaf419a1d990a459f6098227021d0f155bcbb8059a5157499f5a5b

SHA512
82036b71ea9a8cfd5a262139ecf166f527f99a62955c199fc33f80cb578d088fbac27dc6dd7eb9e29f7e050e709ecc0b6d4bd4eb7964eff1c8cd4984e8682a23

Download Submit
C:\Windows\System\explorer.exe

MD5
25fac1dfb6684eb2484ac98682a06547

SHA1
b94fac5bbbd8de5db716dca5ce8d3d3083591728

SHA256
b6837255fbcaf419a1d990a459f6098227021d0f155bcbb8059a5157499f5a5b

SHA512
82036b71ea9a8cfd5a262139ecf166f527f99a62955c199fc33f80cb578d088fbac27dc6dd7eb9e29f7e050e709ecc0b6d4bd4eb7964eff1c8cd4984e8682a23

Download Submit
C:\Windows\System\explorer.exe

MD5
25fac1dfb6684eb2484ac98682a06547

SHA1
b94fac5bbbd8de5db716dca5ce8d3d3083591728

SHA256
b6837255fbcaf419a1d990a459f6098227021d0f155bcbb8059a5157499f5a5b

SHA512
82036b71ea9a8cfd5a262139ecf166f527f99a62955c199fc33f80cb578d088fbac27dc6dd7eb9e29f7e050e709ecc0b6d4bd4eb7964eff1c8cd4984e8682a23

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
C:\Windows\System\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
\??\c:\windows\system\explorer.exe

MD5
25fac1dfb6684eb2484ac98682a06547

SHA1
b94fac5bbbd8de5db716dca5ce8d3d3083591728

SHA256
b6837255fbcaf419a1d990a459f6098227021d0f155bcbb8059a5157499f5a5b

SHA512
82036b71ea9a8cfd5a262139ecf166f527f99a62955c199fc33f80cb578d088fbac27dc6dd7eb9e29f7e050e709ecc0b6d4bd4eb7964eff1c8cd4984e8682a23

Download Submit
\??\c:\windows\system\spoolsv.exe

MD5
fe0743ae92481a3321a4e44c38b88bfa

SHA1
52178cbe72cce6f5240423e3c31307a7aa6a2b09

SHA256
face4d157dfb297da099c8c46d83fc7221947d6cd7240f4d3ca6e9bdf94ab958

SHA512
44f560e7b812879bc431cdc6bdc96a6b28ed9b70e9ffc3fe83faccea96368de798e4691255f5128aa29fff317c84ea7f436cc6c6a9e0e50b7dd6b1b6c5765892

Download Submit
memory/368-247-0x0000000000000000-mapping.dmp

Download
memory/368-250-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/420-181-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/420-178-0x0000000000000000-mapping.dmp

Download
memory/672-137-0x0000000000411000-mapping.dmp

Download
memory/820-209-0x0000000000000000-mapping.dmp

Download
memory/1172-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1172-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1172-116-0x0000000000403670-mapping.dmp

Download
memory/1312-249-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1312-241-0x0000000000000000-mapping.dmp

Download
memory/1424-167-0x0000000000000000-mapping.dmp

Download
memory/1424-171-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1444-162-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1444-155-0x0000000000000000-mapping.dmp

Download
memory/1468-198-0x0000000000000000-mapping.dmp

Download
memory/1468-204-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1548-160-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1548-157-0x0000000000000000-mapping.dmp

Download
memory/1572-144-0x0000000000000000-mapping.dmp

Download
memory/1572-149-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1804-257-0x0000000000000000-mapping.dmp

Download
memory/1804-264-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1836-245-0x0000000000000000-mapping.dmp

Download
memory/1836-252-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1840-282-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1840-274-0x0000000000000000-mapping.dmp

Download
memory/1968-221-0x0000000000000000-mapping.dmp

Download
memory/1968-227-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2084-259-0x0000000000000000-mapping.dmp

Download
memory/2084-262-0x0000000000570000-0x000000000061E000-memory.dmp

Filesize
696KB

Download
memory/2144-217-0x0000000000000000-mapping.dmp

Download
memory/2144-225-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2152-196-0x0000000000000000-mapping.dmp

Download
memory/2152-202-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2212-150-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2212-147-0x0000000000000000-mapping.dmp

Download
memory/2264-183-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2264-176-0x0000000000000000-mapping.dmp

Download
memory/2288-163-0x0000000000000000-mapping.dmp

Download
memory/2288-169-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2316-233-0x0000000000000000-mapping.dmp

Download
memory/2316-239-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2320-200-0x0000000000000000-mapping.dmp

Download
memory/2320-205-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2328-174-0x0000000000000000-mapping.dmp

Download
memory/2328-182-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/2356-211-0x0000000000000000-mapping.dmp

Download
memory/2356-216-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2584-161-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2584-153-0x0000000000000000-mapping.dmp

Download
memory/2592-223-0x0000000000000000-mapping.dmp

Download
memory/2592-228-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2672-255-0x0000000000000000-mapping.dmp

Download
memory/2672-263-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3144-240-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3144-235-0x0000000000000000-mapping.dmp

Download
memory/3148-184-0x0000000000000000-mapping.dmp

Download
memory/3148-192-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/3168-203-0x0000000000000000-mapping.dmp

Download
memory/3168-213-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/3184-165-0x0000000000000000-mapping.dmp

Download
memory/3184-170-0x0000000000570000-0x000000000061E000-memory.dmp

Filesize
696KB

Download
memory/3188-186-0x0000000000000000-mapping.dmp

Download
memory/3188-194-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3228-172-0x0000000000000000-mapping.dmp

Download
memory/3228-180-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3408-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3408-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3408-118-0x0000000000411000-mapping.dmp

Download
memory/3496-283-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3496-276-0x0000000000000000-mapping.dmp

Download
memory/3668-151-0x0000000000000000-mapping.dmp

Download
memory/3668-159-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3692-195-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3692-114-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3692-188-0x0000000000000000-mapping.dmp

Download
memory/3764-238-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/3764-231-0x0000000000000000-mapping.dmp

Download
memory/3808-193-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3808-190-0x0000000000000000-mapping.dmp

Download
memory/3832-226-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3832-219-0x0000000000000000-mapping.dmp

Download
memory/3844-273-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3844-269-0x0000000000000000-mapping.dmp

Download
memory/3856-267-0x0000000000000000-mapping.dmp

Download
memory/3856-272-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3944-207-0x0000000000000000-mapping.dmp

Download
memory/3948-253-0x0000000000000000-mapping.dmp

Download
memory/3948-261-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3968-131-0x0000000000403670-mapping.dmp

Download
memory/3976-243-0x0000000000000000-mapping.dmp

Download
memory/3976-251-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3980-265-0x0000000000000000-mapping.dmp

Download
memory/3980-271-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4024-229-0x0000000000000000-mapping.dmp

Download
memory/4024-237-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4044-129-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4044-124-0x0000000000000000-mapping.dmp

Download
memory/4104-284-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4104-278-0x0000000000000000-mapping.dmp

Download
memory/4132-280-0x0000000000000000-mapping.dmp

Download
memory/4132-285-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4172-294-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4172-286-0x0000000000000000-mapping.dmp

Download
memory/4196-295-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4196-288-0x0000000000000000-mapping.dmp

Download
memory/4220-290-0x0000000000000000-mapping.dmp

Download
memory/4220-296-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/4244-297-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4244-292-0x0000000000000000-mapping.dmp

Download
memory/4284-298-0x0000000000000000-mapping.dmp

Download
memory/4284-306-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4308-308-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4308-300-0x0000000000000000-mapping.dmp

Download
memory/4332-302-0x0000000000000000-mapping.dmp

Download
memory/4332-309-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4356-304-0x0000000000000000-mapping.dmp

Download
memory/4356-307-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4396-310-0x0000000000000000-mapping.dmp

Download
memory/4396-317-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/4420-312-0x0000000000000000-mapping.dmp

Download
memory/4420-318-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4444-314-0x0000000000000000-mapping.dmp

Download
memory/4444-319-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4468-316-0x0000000000000000-mapping.dmp

Download