warzonerat | bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1

Analysis

max time kernel
143s
max time network
57s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b78f5c47_by_Libranalysis.exe
Size

1.8MB
MD5

b78f5c47acef55129ff8d9862c477dcf
SHA1

4c8d602143a1a2fd5201ec4214cee155101e5911
SHA256

bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1
SHA512

d18d7a9999a9f50236efe551667dc9c6e226cfd6151a45d7712d980779599d9f5f81f74d97910b73f907e0ba54a85fb38fb5c489ac3cbbbaf49a39f7be28330e

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1680	explorer.exe
1488	explorer.exe
1356	spoolsv.exe
568	spoolsv.exe
1836	spoolsv.exe
688	spoolsv.exe
1100	spoolsv.exe
1620	spoolsv.exe
1736	spoolsv.exe
1108	spoolsv.exe
816	spoolsv.exe
956	spoolsv.exe
1704	spoolsv.exe
1688	spoolsv.exe
1724	spoolsv.exe
1360	spoolsv.exe
1440	spoolsv.exe
1912	spoolsv.exe
1556	spoolsv.exe
836	spoolsv.exe
1004	spoolsv.exe
524	spoolsv.exe
436	spoolsv.exe
864	spoolsv.exe
608	spoolsv.exe
1092	spoolsv.exe
1316	spoolsv.exe
1248	spoolsv.exe
2040	spoolsv.exe
1260	spoolsv.exe
1392	spoolsv.exe
644	spoolsv.exe
944	spoolsv.exe
900	spoolsv.exe
1164	spoolsv.exe
1676	spoolsv.exe
396	spoolsv.exe
332	spoolsv.exe
1576	spoolsv.exe
1068	spoolsv.exe
1336	spoolsv.exe
1680	spoolsv.exe
1196	spoolsv.exe
948	spoolsv.exe
1172	spoolsv.exe
1252	spoolsv.exe
1668	spoolsv.exe
1848	spoolsv.exe
1528	spoolsv.exe
1380	spoolsv.exe
940	spoolsv.exe
800	spoolsv.exe
1708	spoolsv.exe
1604	spoolsv.exe
1008	spoolsv.exe
1188	spoolsv.exe
1796	spoolsv.exe
1996	spoolsv.exe
572	spoolsv.exe
1504	spoolsv.exe
320	spoolsv.exe
1812	spoolsv.exe
1632	spoolsv.exe
1628	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

b78f5c47_by_Libranalysis.exeexplorer.exe

pid	process
1764	b78f5c47_by_Libranalysis.exe
1764	b78f5c47_by_Libranalysis.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeb78f5c47_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	b78f5c47_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 62 IoCs

Processes:

b78f5c47_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1420 set thread context of 1764	1420	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 1420 set thread context of 852	1420	b78f5c47_by_Libranalysis.exe	diskperf.exe
PID 1680 set thread context of 1488	1680	explorer.exe	explorer.exe
PID 1680 set thread context of 632	1680	explorer.exe	diskperf.exe
PID 1356 set thread context of 3180	1356	spoolsv.exe	spoolsv.exe
PID 1356 set thread context of 3188	1356	spoolsv.exe	diskperf.exe
PID 568 set thread context of 3228	568	spoolsv.exe	spoolsv.exe
PID 568 set thread context of 3236	568	spoolsv.exe	diskperf.exe
PID 1836 set thread context of 3260	1836	spoolsv.exe	spoolsv.exe
PID 1836 set thread context of 3268	1836	spoolsv.exe	diskperf.exe
PID 688 set thread context of 3296	688	spoolsv.exe	spoolsv.exe
PID 688 set thread context of 3304	688	spoolsv.exe	diskperf.exe
PID 1100 set thread context of 3336	1100	spoolsv.exe	spoolsv.exe
PID 1100 set thread context of 3344	1100	spoolsv.exe	diskperf.exe
PID 1620 set thread context of 3368	1620	spoolsv.exe	spoolsv.exe
PID 1620 set thread context of 3376	1620	spoolsv.exe	diskperf.exe
PID 1736 set thread context of 3404	1736	spoolsv.exe	spoolsv.exe
PID 1736 set thread context of 3412	1736	spoolsv.exe	diskperf.exe
PID 1108 set thread context of 3440	1108	spoolsv.exe	spoolsv.exe
PID 1108 set thread context of 3448	1108	spoolsv.exe	diskperf.exe
PID 816 set thread context of 3472	816	spoolsv.exe	spoolsv.exe
PID 816 set thread context of 3480	816	spoolsv.exe	diskperf.exe
PID 956 set thread context of 3508	956	spoolsv.exe	spoolsv.exe
PID 956 set thread context of 3516	956	spoolsv.exe	diskperf.exe
PID 1704 set thread context of 3540	1704	spoolsv.exe	spoolsv.exe
PID 1704 set thread context of 3548	1704	spoolsv.exe	diskperf.exe
PID 1688 set thread context of 3576	1688	spoolsv.exe	spoolsv.exe
PID 1688 set thread context of 3584	1688	spoolsv.exe	diskperf.exe
PID 1724 set thread context of 3604	1724	spoolsv.exe	spoolsv.exe
PID 1724 set thread context of 3612	1724	spoolsv.exe	diskperf.exe
PID 1360 set thread context of 3636	1360	spoolsv.exe	spoolsv.exe
PID 1360 set thread context of 3656	1360	spoolsv.exe	diskperf.exe
PID 1440 set thread context of 3668	1440	spoolsv.exe	spoolsv.exe
PID 1440 set thread context of 3676	1440	spoolsv.exe	diskperf.exe
PID 1912 set thread context of 3704	1912	spoolsv.exe	spoolsv.exe
PID 1912 set thread context of 3712	1912	spoolsv.exe	diskperf.exe
PID 1556 set thread context of 3740	1556	spoolsv.exe	spoolsv.exe
PID 1556 set thread context of 3760	1556	spoolsv.exe	diskperf.exe
PID 836 set thread context of 3772	836	spoolsv.exe	spoolsv.exe
PID 836 set thread context of 3792	836	spoolsv.exe	diskperf.exe
PID 1004 set thread context of 3800	1004	spoolsv.exe	spoolsv.exe
PID 1004 set thread context of 3808	1004	spoolsv.exe	diskperf.exe
PID 524 set thread context of 3836	524	spoolsv.exe	spoolsv.exe
PID 524 set thread context of 3844	524	spoolsv.exe	diskperf.exe
PID 436 set thread context of 3872	436	spoolsv.exe	spoolsv.exe
PID 436 set thread context of 3880	436	spoolsv.exe	diskperf.exe
PID 864 set thread context of 3888	864	spoolsv.exe	spoolsv.exe
PID 864 set thread context of 3920	864	spoolsv.exe	diskperf.exe
PID 608 set thread context of 3912	608	spoolsv.exe	spoolsv.exe
PID 608 set thread context of 3928	608	spoolsv.exe	diskperf.exe
PID 1092 set thread context of 3936	1092	spoolsv.exe	spoolsv.exe
PID 1092 set thread context of 3956	1092	spoolsv.exe	diskperf.exe
PID 1316 set thread context of 3968	1316	spoolsv.exe	spoolsv.exe
PID 1316 set thread context of 3976	1316	spoolsv.exe	diskperf.exe
PID 1248 set thread context of 3984	1248	spoolsv.exe	spoolsv.exe
PID 1248 set thread context of 3992	1248	spoolsv.exe	diskperf.exe
PID 2040 set thread context of 4000	2040	spoolsv.exe	spoolsv.exe
PID 2040 set thread context of 4008	2040	spoolsv.exe	diskperf.exe
PID 1260 set thread context of 4028	1260	spoolsv.exe	spoolsv.exe
PID 1260 set thread context of 4036	1260	spoolsv.exe	diskperf.exe
PID 1392 set thread context of 4048	1392	spoolsv.exe	spoolsv.exe
PID 1392 set thread context of 4056	1392	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

b78f5c47_by_Libranalysis.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	b78f5c47_by_Libranalysis.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b78f5c47_by_Libranalysis.exeexplorer.exe

pid	process
1764	b78f5c47_by_Libranalysis.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1488 explorer.exe

pid	process
1488	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1764	b78f5c47_by_Libranalysis.exe
1764	b78f5c47_by_Libranalysis.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
1488	explorer.exe
3180	spoolsv.exe
3180	spoolsv.exe
3228	spoolsv.exe
3228	spoolsv.exe
3260	spoolsv.exe
3260	spoolsv.exe
3296	spoolsv.exe
3296	spoolsv.exe
3336	spoolsv.exe
3336	spoolsv.exe
3368	spoolsv.exe
3368	spoolsv.exe
3404	spoolsv.exe
3404	spoolsv.exe
3440	spoolsv.exe
3440	spoolsv.exe
3472	spoolsv.exe
3472	spoolsv.exe
3508	spoolsv.exe
3508	spoolsv.exe
3540	spoolsv.exe
3540	spoolsv.exe
3576	spoolsv.exe
3576	spoolsv.exe
3604	spoolsv.exe
3604	spoolsv.exe
3636	spoolsv.exe
3636	spoolsv.exe
3668	spoolsv.exe
3668	spoolsv.exe
3704	spoolsv.exe
3704	spoolsv.exe
3740	spoolsv.exe
3740	spoolsv.exe
3772	spoolsv.exe
3772	spoolsv.exe
3800	spoolsv.exe
3800	spoolsv.exe
3836	spoolsv.exe
3836	spoolsv.exe
3872	spoolsv.exe
3872	spoolsv.exe
3888	spoolsv.exe
3912	spoolsv.exe
3912	spoolsv.exe
3888	spoolsv.exe
3936	spoolsv.exe
3936	spoolsv.exe
3968	spoolsv.exe
3968	spoolsv.exe
3984	spoolsv.exe
3984	spoolsv.exe
4000	spoolsv.exe
4000	spoolsv.exe
4028	spoolsv.exe
4028	spoolsv.exe
4048	spoolsv.exe
4048	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b78f5c47_by_Libranalysis.exeb78f5c47_by_Libranalysis.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1420 wrote to memory of 1764	1420	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 1420 wrote to memory of 1764	1420	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 1420 wrote to memory of 1764	1420	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 1420 wrote to memory of 1764	1420	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 1420 wrote to memory of 1764	1420	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 1420 wrote to memory of 1764	1420	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 1420 wrote to memory of 1764	1420	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 1420 wrote to memory of 1764	1420	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 1420 wrote to memory of 1764	1420	b78f5c47_by_Libranalysis.exe	b78f5c47_by_Libranalysis.exe
PID 1420 wrote to memory of 852	1420	b78f5c47_by_Libranalysis.exe	diskperf.exe
PID 1420 wrote to memory of 852	1420	b78f5c47_by_Libranalysis.exe	diskperf.exe
PID 1420 wrote to memory of 852	1420	b78f5c47_by_Libranalysis.exe	diskperf.exe
PID 1420 wrote to memory of 852	1420	b78f5c47_by_Libranalysis.exe	diskperf.exe
PID 1420 wrote to memory of 852	1420	b78f5c47_by_Libranalysis.exe	diskperf.exe
PID 1420 wrote to memory of 852	1420	b78f5c47_by_Libranalysis.exe	diskperf.exe
PID 1764 wrote to memory of 1680	1764	b78f5c47_by_Libranalysis.exe	explorer.exe
PID 1764 wrote to memory of 1680	1764	b78f5c47_by_Libranalysis.exe	explorer.exe
PID 1764 wrote to memory of 1680	1764	b78f5c47_by_Libranalysis.exe	explorer.exe
PID 1764 wrote to memory of 1680	1764	b78f5c47_by_Libranalysis.exe	explorer.exe
PID 1680 wrote to memory of 1488	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 1488	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 1488	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 1488	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 1488	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 1488	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 1488	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 1488	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 1488	1680	explorer.exe	explorer.exe
PID 1680 wrote to memory of 632	1680	explorer.exe	diskperf.exe
PID 1680 wrote to memory of 632	1680	explorer.exe	diskperf.exe
PID 1680 wrote to memory of 632	1680	explorer.exe	diskperf.exe
PID 1680 wrote to memory of 632	1680	explorer.exe	diskperf.exe
PID 1680 wrote to memory of 632	1680	explorer.exe	diskperf.exe
PID 1680 wrote to memory of 632	1680	explorer.exe	diskperf.exe
PID 1488 wrote to memory of 1356	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1356	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1356	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1356	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 568	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 568	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 568	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 568	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1836	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1836	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1836	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1836	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 688	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 688	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 688	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 688	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1100	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1100	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1100	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1100	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1620	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1620	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1620	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1620	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1736	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1736	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1736	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1736	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1108	1488	explorer.exe	spoolsv.exe
PID 1488 wrote to memory of 1108	1488	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\b78f5c47_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\b78f5c47_by_Libranalysis.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\b78f5c47_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\b78f5c47_by_Libranalysis.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1680

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3180

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3220

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3228

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3248

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3260

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3288

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3296

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3316

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3336

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3356

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3368

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3388

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3404

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3424

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3440

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3460

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3472

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3492

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3508

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3528

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3540

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3576

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3604

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3624

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3636

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3648

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3668

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3688

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3704

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3724

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3740

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3752

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3772

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3784

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3800

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3836

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3856

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:436

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3872

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3888

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3948

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3912

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1092

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3984

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4000

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4028

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1392

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4076

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4088

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3200

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3244

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3280

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1564

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3300

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3364

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:396

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1716

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1596

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3456

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3500

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3572

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3524

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3540

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1160

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1840

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3700

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3736

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3748

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3780

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:920

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3800

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3868

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:344

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3908

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1476

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3964

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3972

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4016

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1208

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1008

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4048

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3200

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1600

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1504

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3488

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3436

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1628

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3568

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3544

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1160

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:304

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1300

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:316

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1204

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:904

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1904

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4044

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4048

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1920

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:324

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3332

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3488

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3204

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:852

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:4068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
b78f5c47acef55129ff8d9862c477dcf

SHA1
4c8d602143a1a2fd5201ec4214cee155101e5911

SHA256
bc630e07cf99324ac65fb506e9d54bbd6d405887070604e00d98c52ba60d64c1

SHA512
d18d7a9999a9f50236efe551667dc9c6e226cfd6151a45d7712d980779599d9f5f81f74d97910b73f907e0ba54a85fb38fb5c489ac3cbbbaf49a39f7be28330e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
d6d2efcd57f3b93a8d16adbb24c2f420

SHA1
8104b9ce0a888935821cde6efcd125fc1c211af9

SHA256
df9e4abccb4489f5c57ece23410fb935cb541643779884d3cbb3c2db617c7f50

SHA512
ec347a147677ab5c4d53a737f6d5ac60383b8ea2a48e5bb444744ef22ee84ae00af0c0cfa56db2fdf11c39a84f0fba3e34377716f3b2ade988ed15cd0ec980d6

Download Submit
C:\Windows\system\explorer.exe
MD5
d6d2efcd57f3b93a8d16adbb24c2f420

SHA1
8104b9ce0a888935821cde6efcd125fc1c211af9

SHA256
df9e4abccb4489f5c57ece23410fb935cb541643779884d3cbb3c2db617c7f50

SHA512
ec347a147677ab5c4d53a737f6d5ac60383b8ea2a48e5bb444744ef22ee84ae00af0c0cfa56db2fdf11c39a84f0fba3e34377716f3b2ade988ed15cd0ec980d6

Download Submit
C:\Windows\system\explorer.exe
MD5
d6d2efcd57f3b93a8d16adbb24c2f420

SHA1
8104b9ce0a888935821cde6efcd125fc1c211af9

SHA256
df9e4abccb4489f5c57ece23410fb935cb541643779884d3cbb3c2db617c7f50

SHA512
ec347a147677ab5c4d53a737f6d5ac60383b8ea2a48e5bb444744ef22ee84ae00af0c0cfa56db2fdf11c39a84f0fba3e34377716f3b2ade988ed15cd0ec980d6

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\??\c:\windows\system\explorer.exe
MD5
d6d2efcd57f3b93a8d16adbb24c2f420

SHA1
8104b9ce0a888935821cde6efcd125fc1c211af9

SHA256
df9e4abccb4489f5c57ece23410fb935cb541643779884d3cbb3c2db617c7f50

SHA512
ec347a147677ab5c4d53a737f6d5ac60383b8ea2a48e5bb444744ef22ee84ae00af0c0cfa56db2fdf11c39a84f0fba3e34377716f3b2ade988ed15cd0ec980d6

Download Submit
\Windows\system\explorer.exe
MD5
d6d2efcd57f3b93a8d16adbb24c2f420

SHA1
8104b9ce0a888935821cde6efcd125fc1c211af9

SHA256
df9e4abccb4489f5c57ece23410fb935cb541643779884d3cbb3c2db617c7f50

SHA512
ec347a147677ab5c4d53a737f6d5ac60383b8ea2a48e5bb444744ef22ee84ae00af0c0cfa56db2fdf11c39a84f0fba3e34377716f3b2ade988ed15cd0ec980d6

Download Submit
\Windows\system\explorer.exe
MD5
d6d2efcd57f3b93a8d16adbb24c2f420

SHA1
8104b9ce0a888935821cde6efcd125fc1c211af9

SHA256
df9e4abccb4489f5c57ece23410fb935cb541643779884d3cbb3c2db617c7f50

SHA512
ec347a147677ab5c4d53a737f6d5ac60383b8ea2a48e5bb444744ef22ee84ae00af0c0cfa56db2fdf11c39a84f0fba3e34377716f3b2ade988ed15cd0ec980d6

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
\Windows\system\spoolsv.exe
MD5
fbef45d8da4104f116d64ba90a140dd1

SHA1
1288d83e3272d54e8ba6bfdfd8879f116f38107c

SHA256
a05a6a327178c2d9a7b6b5b89330d48d64de0ba6ed96d473dae92a5175671fd3

SHA512
9e42e0c76ba032aaea3513a4b2eecd2a3b386acc6a9d67c077ec9b74fe45b87a480f46a569106112028640bba9502f4c444a8e24609e7bc834c60887fb6dd1d8

Download Submit
memory/320-310-0x0000000000000000-mapping.dmp

Download
memory/332-264-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/332-253-0x0000000000000000-mapping.dmp

Download
memory/396-263-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/396-251-0x0000000000000000-mapping.dmp

Download
memory/436-210-0x0000000000000000-mapping.dmp

Download
memory/436-223-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/524-207-0x0000000000000000-mapping.dmp

Download
memory/568-101-0x0000000000000000-mapping.dmp

Download
memory/568-105-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/572-314-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/572-308-0x0000000000000000-mapping.dmp

Download
memory/608-225-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/608-214-0x0000000000000000-mapping.dmp

Download
memory/632-86-0x0000000000411000-mapping.dmp

Download
memory/644-235-0x0000000000000000-mapping.dmp

Download
memory/644-244-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/688-120-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/688-113-0x0000000000000000-mapping.dmp

Download
memory/800-294-0x0000000000000000-mapping.dmp

Download
memory/816-143-0x0000000000000000-mapping.dmp

Download
memory/816-150-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/836-198-0x0000000000000000-mapping.dmp

Download
memory/836-206-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/852-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/852-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/852-66-0x0000000000411000-mapping.dmp

Download
memory/864-224-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/864-212-0x0000000000000000-mapping.dmp

Download
memory/900-239-0x0000000000000000-mapping.dmp

Download
memory/900-246-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/940-300-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/940-293-0x0000000000000000-mapping.dmp

Download
memory/944-237-0x0000000000000000-mapping.dmp

Download
memory/948-272-0x0000000000000000-mapping.dmp

Download
memory/948-284-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/956-149-0x0000000000000000-mapping.dmp

Download
memory/956-158-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1004-203-0x0000000000000000-mapping.dmp

Download
memory/1008-297-0x0000000000000000-mapping.dmp

Download
memory/1068-257-0x0000000000000000-mapping.dmp

Download
memory/1092-216-0x0000000000000000-mapping.dmp

Download
memory/1092-226-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1100-119-0x0000000000000000-mapping.dmp

Download
memory/1100-132-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1108-138-0x0000000000000000-mapping.dmp

Download
memory/1108-146-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1164-247-0x0000000000000000-mapping.dmp

Download
memory/1172-274-0x0000000000000000-mapping.dmp

Download
memory/1172-285-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1188-311-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1188-305-0x0000000000000000-mapping.dmp

Download
memory/1196-270-0x0000000000000000-mapping.dmp

Download
memory/1196-283-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1248-220-0x0000000000000000-mapping.dmp

Download
memory/1252-276-0x0000000000000000-mapping.dmp

Download
memory/1260-242-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1260-231-0x0000000000000000-mapping.dmp

Download
memory/1316-227-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1316-218-0x0000000000000000-mapping.dmp

Download
memory/1336-259-0x0000000000000000-mapping.dmp

Download
memory/1356-104-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1356-96-0x0000000000000000-mapping.dmp

Download
memory/1360-182-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1360-174-0x0000000000000000-mapping.dmp

Download
memory/1380-299-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1380-291-0x0000000000000000-mapping.dmp

Download
memory/1392-233-0x0000000000000000-mapping.dmp

Download
memory/1420-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1420-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1440-183-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1440-179-0x0000000000000000-mapping.dmp

Download
memory/1488-81-0x0000000000403670-mapping.dmp

Download
memory/1504-309-0x0000000000000000-mapping.dmp

Download
memory/1528-289-0x0000000000000000-mapping.dmp

Download
memory/1556-191-0x0000000000000000-mapping.dmp

Download
memory/1576-255-0x0000000000000000-mapping.dmp

Download
memory/1604-303-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1604-296-0x0000000000000000-mapping.dmp

Download
memory/1620-125-0x0000000000000000-mapping.dmp

Download
memory/1620-134-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1668-287-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1668-278-0x0000000000000000-mapping.dmp

Download
memory/1676-249-0x0000000000000000-mapping.dmp

Download
memory/1680-268-0x0000000000000000-mapping.dmp

Download
memory/1680-282-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1680-75-0x0000000000000000-mapping.dmp

Download
memory/1680-78-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1688-162-0x0000000000000000-mapping.dmp

Download
memory/1688-170-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1704-155-0x0000000000000000-mapping.dmp

Download
memory/1704-159-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1708-295-0x0000000000000000-mapping.dmp

Download
memory/1708-302-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1724-167-0x0000000000000000-mapping.dmp

Download
memory/1724-171-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1736-130-0x0000000000000000-mapping.dmp

Download
memory/1736-135-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1764-63-0x0000000000403670-mapping.dmp

Download
memory/1764-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1764-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1796-306-0x0000000000000000-mapping.dmp

Download
memory/1796-312-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1836-117-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1836-108-0x0000000000000000-mapping.dmp

Download
memory/1848-280-0x0000000000000000-mapping.dmp

Download
memory/1848-288-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1912-186-0x0000000000000000-mapping.dmp

Download
memory/1912-194-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1996-307-0x0000000000000000-mapping.dmp

Download
memory/2040-229-0x0000000000000000-mapping.dmp

Download