warzonerat | 926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea

Analysis

max time kernel
144s
max time network
140s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc4a2d6d_by_Libranalysis.exe
Size

1.8MB
MD5

bc4a2d6d59a0aee1a434e93f5d59019a
SHA1

2403a1c0017b46d2357f3730b9d5c16fa7284a28
SHA256

926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea
SHA512

5b808a743ed3663656417dc23b9614dc89ab25c5814040f76afa356659ce3614431a2580963e977c9169d262ba80a4238d70ab53b7317f1b6003fd5111e8ba47

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
600	explorer.exe
668	explorer.exe
1368	spoolsv.exe
1484	spoolsv.exe
672	spoolsv.exe
788	spoolsv.exe
1756	spoolsv.exe
2020	spoolsv.exe
2040	spoolsv.exe
1560	spoolsv.exe
916	spoolsv.exe
952	spoolsv.exe
1544	spoolsv.exe
292	spoolsv.exe
340	spoolsv.exe
1676	spoolsv.exe
2036	spoolsv.exe
1816	spoolsv.exe
804	spoolsv.exe
620	spoolsv.exe
860	spoolsv.exe
284	spoolsv.exe
1688	spoolsv.exe
1160	spoolsv.exe
644	spoolsv.exe
1256	spoolsv.exe
1620	spoolsv.exe
532	spoolsv.exe
2016	spoolsv.exe
1276	spoolsv.exe
972	spoolsv.exe
960	spoolsv.exe
272	spoolsv.exe
288	spoolsv.exe
888	spoolsv.exe
556	spoolsv.exe
1864	spoolsv.exe
2008	spoolsv.exe
1564	spoolsv.exe
852	spoolsv.exe
1504	spoolsv.exe
600	spoolsv.exe
1476	spoolsv.exe
1112	spoolsv.exe
1552	spoolsv.exe
1748	spoolsv.exe
1860	spoolsv.exe
1724	spoolsv.exe
1228	spoolsv.exe
1576	spoolsv.exe
728	spoolsv.exe
1680	spoolsv.exe
1960	spoolsv.exe
1172	spoolsv.exe
1556	spoolsv.exe
756	spoolsv.exe
1300	spoolsv.exe
776	spoolsv.exe
1056	spoolsv.exe
1432	spoolsv.exe
1308	spoolsv.exe
2004	spoolsv.exe
2000	spoolsv.exe
1192	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

bc4a2d6d_by_Libranalysis.exeexplorer.exe

pid	process
1636	bc4a2d6d_by_Libranalysis.exe
1636	bc4a2d6d_by_Libranalysis.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe

Adds Run key to start application 2 TTPs 37 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bc4a2d6d_by_Libranalysis.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	bc4a2d6d_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

bc4a2d6d_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1084 set thread context of 1636	1084	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 1084 set thread context of 1640	1084	bc4a2d6d_by_Libranalysis.exe	diskperf.exe
PID 600 set thread context of 668	600	explorer.exe	explorer.exe
PID 600 set thread context of 328	600	explorer.exe	diskperf.exe
PID 1368 set thread context of 3096	1368	spoolsv.exe	spoolsv.exe
PID 1368 set thread context of 3104	1368	spoolsv.exe	diskperf.exe
PID 1484 set thread context of 3132	1484	spoolsv.exe	spoolsv.exe
PID 1484 set thread context of 3140	1484	spoolsv.exe	diskperf.exe
PID 672 set thread context of 3168	672	spoolsv.exe	spoolsv.exe
PID 672 set thread context of 3176	672	spoolsv.exe	diskperf.exe
PID 788 set thread context of 3204	788	spoolsv.exe	spoolsv.exe
PID 788 set thread context of 3212	788	spoolsv.exe	diskperf.exe
PID 1756 set thread context of 3236	1756	spoolsv.exe	spoolsv.exe
PID 1756 set thread context of 3244	1756	spoolsv.exe	diskperf.exe
PID 2020 set thread context of 3272	2020	spoolsv.exe	spoolsv.exe
PID 2020 set thread context of 3280	2020	spoolsv.exe	diskperf.exe
PID 2040 set thread context of 3312	2040	spoolsv.exe	spoolsv.exe
PID 2040 set thread context of 3320	2040	spoolsv.exe	diskperf.exe
PID 1560 set thread context of 3352	1560	spoolsv.exe	spoolsv.exe
PID 1560 set thread context of 3360	1560	spoolsv.exe	diskperf.exe
PID 916 set thread context of 3392	916	spoolsv.exe	spoolsv.exe
PID 916 set thread context of 3400	916	spoolsv.exe	diskperf.exe
PID 952 set thread context of 3428	952	spoolsv.exe	spoolsv.exe
PID 952 set thread context of 3436	952	spoolsv.exe	diskperf.exe
PID 1544 set thread context of 3464	1544	spoolsv.exe	spoolsv.exe
PID 1544 set thread context of 3472	1544	spoolsv.exe	diskperf.exe
PID 292 set thread context of 3492	292	spoolsv.exe	spoolsv.exe
PID 292 set thread context of 3500	292	spoolsv.exe	diskperf.exe
PID 340 set thread context of 3528	340	spoolsv.exe	spoolsv.exe
PID 340 set thread context of 3536	340	spoolsv.exe	diskperf.exe
PID 1676 set thread context of 3564	1676	spoolsv.exe	spoolsv.exe
PID 1676 set thread context of 3572	1676	spoolsv.exe	diskperf.exe
PID 2036 set thread context of 3600	2036	spoolsv.exe	spoolsv.exe
PID 2036 set thread context of 3608	2036	spoolsv.exe	diskperf.exe
PID 1816 set thread context of 3628	1816	spoolsv.exe	spoolsv.exe
PID 1816 set thread context of 3636	1816	spoolsv.exe	diskperf.exe
PID 804 set thread context of 3652	804	spoolsv.exe	spoolsv.exe
PID 804 set thread context of 3660	804	spoolsv.exe	diskperf.exe
PID 620 set thread context of 3688	620	spoolsv.exe	spoolsv.exe
PID 620 set thread context of 3696	620	spoolsv.exe	diskperf.exe
PID 860 set thread context of 3720	860	spoolsv.exe	spoolsv.exe
PID 860 set thread context of 3728	860	spoolsv.exe	diskperf.exe
PID 284 set thread context of 3752	284	spoolsv.exe	spoolsv.exe
PID 284 set thread context of 3772	284	spoolsv.exe	diskperf.exe
PID 1160 set thread context of 3780	1160	spoolsv.exe	spoolsv.exe
PID 1160 set thread context of 3800	1160	spoolsv.exe	diskperf.exe
PID 1688 set thread context of 3808	1688	spoolsv.exe	spoolsv.exe
PID 1688 set thread context of 3816	1688	spoolsv.exe	diskperf.exe
PID 1256 set thread context of 3824	1256	spoolsv.exe	spoolsv.exe
PID 644 set thread context of 3852	644	spoolsv.exe	spoolsv.exe
PID 644 set thread context of 3860	644	spoolsv.exe	diskperf.exe
PID 1256 set thread context of 3844	1256	spoolsv.exe	diskperf.exe
PID 532 set thread context of 3884	532	spoolsv.exe	spoolsv.exe
PID 532 set thread context of 3892	532	spoolsv.exe	diskperf.exe
PID 1620 set thread context of 3900	1620	spoolsv.exe	spoolsv.exe
PID 1620 set thread context of 3908	1620	spoolsv.exe	diskperf.exe
PID 2016 set thread context of 3916	2016	spoolsv.exe	spoolsv.exe
PID 2016 set thread context of 3936	2016	spoolsv.exe	diskperf.exe
PID 1276 set thread context of 3944	1276	spoolsv.exe	spoolsv.exe
PID 960 set thread context of 3960	960	spoolsv.exe	spoolsv.exe
PID 1276 set thread context of 3952	1276	spoolsv.exe	diskperf.exe
PID 960 set thread context of 3968	960	spoolsv.exe	diskperf.exe
PID 972 set thread context of 3976	972	spoolsv.exe	spoolsv.exe
PID 972 set thread context of 3984	972	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

bc4a2d6d_by_Libranalysis.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	bc4a2d6d_by_Libranalysis.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bc4a2d6d_by_Libranalysis.exeexplorer.exe

pid	process
1636	bc4a2d6d_by_Libranalysis.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

668 explorer.exe

pid	process
668	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1636	bc4a2d6d_by_Libranalysis.exe
1636	bc4a2d6d_by_Libranalysis.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
668	explorer.exe
3096	spoolsv.exe
3096	spoolsv.exe
3132	spoolsv.exe
3132	spoolsv.exe
3168	spoolsv.exe
3168	spoolsv.exe
3204	spoolsv.exe
3204	spoolsv.exe
3236	spoolsv.exe
3236	spoolsv.exe
3272	spoolsv.exe
3272	spoolsv.exe
3312	spoolsv.exe
3312	spoolsv.exe
3352	spoolsv.exe
3352	spoolsv.exe
3392	spoolsv.exe
3392	spoolsv.exe
3428	spoolsv.exe
3428	spoolsv.exe
3464	spoolsv.exe
3464	spoolsv.exe
3492	spoolsv.exe
3492	spoolsv.exe
3528	spoolsv.exe
3528	spoolsv.exe
3564	spoolsv.exe
3564	spoolsv.exe
3600	spoolsv.exe
3600	spoolsv.exe
3628	spoolsv.exe
3628	spoolsv.exe
3652	spoolsv.exe
3652	spoolsv.exe
3688	spoolsv.exe
3688	spoolsv.exe
3720	spoolsv.exe
3720	spoolsv.exe
3752	spoolsv.exe
3752	spoolsv.exe
3780	spoolsv.exe
3780	spoolsv.exe
3808	spoolsv.exe
3808	spoolsv.exe
3824	spoolsv.exe
3852	spoolsv.exe
3824	spoolsv.exe
3852	spoolsv.exe
3884	spoolsv.exe
3884	spoolsv.exe
3900	spoolsv.exe
3916	spoolsv.exe
3944	spoolsv.exe
3900	spoolsv.exe
3960	spoolsv.exe
3976	spoolsv.exe
3916	spoolsv.exe
3976	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bc4a2d6d_by_Libranalysis.exebc4a2d6d_by_Libranalysis.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1084 wrote to memory of 1636	1084	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 1084 wrote to memory of 1636	1084	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 1084 wrote to memory of 1636	1084	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 1084 wrote to memory of 1636	1084	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 1084 wrote to memory of 1636	1084	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 1084 wrote to memory of 1636	1084	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 1084 wrote to memory of 1636	1084	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 1084 wrote to memory of 1636	1084	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 1084 wrote to memory of 1636	1084	bc4a2d6d_by_Libranalysis.exe	bc4a2d6d_by_Libranalysis.exe
PID 1084 wrote to memory of 1640	1084	bc4a2d6d_by_Libranalysis.exe	diskperf.exe
PID 1084 wrote to memory of 1640	1084	bc4a2d6d_by_Libranalysis.exe	diskperf.exe
PID 1084 wrote to memory of 1640	1084	bc4a2d6d_by_Libranalysis.exe	diskperf.exe
PID 1084 wrote to memory of 1640	1084	bc4a2d6d_by_Libranalysis.exe	diskperf.exe
PID 1084 wrote to memory of 1640	1084	bc4a2d6d_by_Libranalysis.exe	diskperf.exe
PID 1084 wrote to memory of 1640	1084	bc4a2d6d_by_Libranalysis.exe	diskperf.exe
PID 1636 wrote to memory of 600	1636	bc4a2d6d_by_Libranalysis.exe	explorer.exe
PID 1636 wrote to memory of 600	1636	bc4a2d6d_by_Libranalysis.exe	explorer.exe
PID 1636 wrote to memory of 600	1636	bc4a2d6d_by_Libranalysis.exe	explorer.exe
PID 1636 wrote to memory of 600	1636	bc4a2d6d_by_Libranalysis.exe	explorer.exe
PID 600 wrote to memory of 668	600	explorer.exe	explorer.exe
PID 600 wrote to memory of 668	600	explorer.exe	explorer.exe
PID 600 wrote to memory of 668	600	explorer.exe	explorer.exe
PID 600 wrote to memory of 668	600	explorer.exe	explorer.exe
PID 600 wrote to memory of 668	600	explorer.exe	explorer.exe
PID 600 wrote to memory of 668	600	explorer.exe	explorer.exe
PID 600 wrote to memory of 668	600	explorer.exe	explorer.exe
PID 600 wrote to memory of 668	600	explorer.exe	explorer.exe
PID 600 wrote to memory of 668	600	explorer.exe	explorer.exe
PID 600 wrote to memory of 328	600	explorer.exe	diskperf.exe
PID 600 wrote to memory of 328	600	explorer.exe	diskperf.exe
PID 600 wrote to memory of 328	600	explorer.exe	diskperf.exe
PID 600 wrote to memory of 328	600	explorer.exe	diskperf.exe
PID 600 wrote to memory of 328	600	explorer.exe	diskperf.exe
PID 600 wrote to memory of 328	600	explorer.exe	diskperf.exe
PID 668 wrote to memory of 1368	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1368	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1368	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1368	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1484	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1484	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1484	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1484	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 672	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 672	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 672	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 672	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 788	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 788	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 788	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 788	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1756	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1756	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1756	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1756	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 2020	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 2020	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 2020	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 2020	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 2040	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 2040	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 2040	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 2040	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1560	668	explorer.exe	spoolsv.exe
PID 668 wrote to memory of 1560	668	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\bc4a2d6d_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\bc4a2d6d_by_Libranalysis.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\bc4a2d6d_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\bc4a2d6d_by_Libranalysis.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:600

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3096

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3124

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3132

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3152

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3168

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3188

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3204

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3224

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3236

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3264

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3272

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3292

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3312

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3336

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3352

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3372

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3392

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3428

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3448

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3464

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3484

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3496

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3492

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3512

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3528

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3548

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3564

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3584

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3600

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3620

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3652

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3688

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3708

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3720

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3740

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3752

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3764

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3808

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3836

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3780

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3824

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3872

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3900

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3884

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3928

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3944

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3960

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4008

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4028

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:288

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4044

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4064

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4036

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4080

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4088

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1248

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3196

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:704

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1196

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3304

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3172

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3240

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3384

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3256

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1944

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1860

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3456

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3468

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1228

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3464

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3520

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3544

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3580

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3628

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3668

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3648

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:760

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1556

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3704

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3724

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3752

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3780

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1716

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3856

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1480

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1592

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:900

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1308

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3996

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4060

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4092

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3272

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3196

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3236

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3408

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3260

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1136

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1944

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3508

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:612

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3596

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1212

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3616

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3724

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3652

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3088

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:328

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1640

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
bc4a2d6d59a0aee1a434e93f5d59019a

SHA1
2403a1c0017b46d2357f3730b9d5c16fa7284a28

SHA256
926509aff0ec48ac354fe49b372f8e2b8d05fe97ba5a1828b422ca75b95cb0ea

SHA512
5b808a743ed3663656417dc23b9614dc89ab25c5814040f76afa356659ce3614431a2580963e977c9169d262ba80a4238d70ab53b7317f1b6003fd5111e8ba47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
b61fca770156484b923df6aa03ab949e

SHA1
c97b1c74613b54247b20fd8a946934c411cb0d5e

SHA256
4654b6a952d5f663db28fd4bcb6bba763ed25ce764461d3e83c7f7f1b755f0bc

SHA512
79ef4bec927abde32bfd3b4e95e992a5a0ce7c4c270b8d8eb60d3b0547c78a3b830292852a0f05f46b3eff5fb1b9d8727a637153537aed15ec7fa2ce5e3f648c

Download Submit
C:\Windows\system\explorer.exe
MD5
b61fca770156484b923df6aa03ab949e

SHA1
c97b1c74613b54247b20fd8a946934c411cb0d5e

SHA256
4654b6a952d5f663db28fd4bcb6bba763ed25ce764461d3e83c7f7f1b755f0bc

SHA512
79ef4bec927abde32bfd3b4e95e992a5a0ce7c4c270b8d8eb60d3b0547c78a3b830292852a0f05f46b3eff5fb1b9d8727a637153537aed15ec7fa2ce5e3f648c

Download Submit
C:\Windows\system\explorer.exe
MD5
b61fca770156484b923df6aa03ab949e

SHA1
c97b1c74613b54247b20fd8a946934c411cb0d5e

SHA256
4654b6a952d5f663db28fd4bcb6bba763ed25ce764461d3e83c7f7f1b755f0bc

SHA512
79ef4bec927abde32bfd3b4e95e992a5a0ce7c4c270b8d8eb60d3b0547c78a3b830292852a0f05f46b3eff5fb1b9d8727a637153537aed15ec7fa2ce5e3f648c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
C:\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\??\c:\windows\system\explorer.exe
MD5
b61fca770156484b923df6aa03ab949e

SHA1
c97b1c74613b54247b20fd8a946934c411cb0d5e

SHA256
4654b6a952d5f663db28fd4bcb6bba763ed25ce764461d3e83c7f7f1b755f0bc

SHA512
79ef4bec927abde32bfd3b4e95e992a5a0ce7c4c270b8d8eb60d3b0547c78a3b830292852a0f05f46b3eff5fb1b9d8727a637153537aed15ec7fa2ce5e3f648c

Download Submit
\Windows\system\explorer.exe
MD5
b61fca770156484b923df6aa03ab949e

SHA1
c97b1c74613b54247b20fd8a946934c411cb0d5e

SHA256
4654b6a952d5f663db28fd4bcb6bba763ed25ce764461d3e83c7f7f1b755f0bc

SHA512
79ef4bec927abde32bfd3b4e95e992a5a0ce7c4c270b8d8eb60d3b0547c78a3b830292852a0f05f46b3eff5fb1b9d8727a637153537aed15ec7fa2ce5e3f648c

Download Submit
\Windows\system\explorer.exe
MD5
b61fca770156484b923df6aa03ab949e

SHA1
c97b1c74613b54247b20fd8a946934c411cb0d5e

SHA256
4654b6a952d5f663db28fd4bcb6bba763ed25ce764461d3e83c7f7f1b755f0bc

SHA512
79ef4bec927abde32bfd3b4e95e992a5a0ce7c4c270b8d8eb60d3b0547c78a3b830292852a0f05f46b3eff5fb1b9d8727a637153537aed15ec7fa2ce5e3f648c

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
\Windows\system\spoolsv.exe
MD5
ec2f354b2cbd1c10e576a281341f0116

SHA1
56e5181c8dbb915de47abb2891d634dd718e7a4b

SHA256
f8c7f57bb41fbe3aeef51dadc0b9d06032927e47ac0a934eb5677109d590d4b1

SHA512
69fb84baa577dba5d3c3d25b559949840fe0b8f6c52aad0d48a6742f74fe4a8bb8179ef392688656c3595176abaf952f2f61eb47c24586bc948d0c493e288a48

Download Submit
memory/272-247-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/272-237-0x0000000000000000-mapping.dmp

Download
memory/284-206-0x0000000000000000-mapping.dmp

Download
memory/284-210-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/288-248-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/288-239-0x0000000000000000-mapping.dmp

Download
memory/292-170-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/292-162-0x0000000000000000-mapping.dmp

Download
memory/328-86-0x0000000000411000-mapping.dmp

Download
memory/340-167-0x0000000000000000-mapping.dmp

Download
memory/532-221-0x0000000000000000-mapping.dmp

Download
memory/556-264-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/556-250-0x0000000000000000-mapping.dmp

Download
memory/600-78-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/600-270-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/600-262-0x0000000000000000-mapping.dmp

Download
memory/600-73-0x0000000000000000-mapping.dmp

Download
memory/620-198-0x0000000000000000-mapping.dmp

Download
memory/620-208-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/644-215-0x0000000000000000-mapping.dmp

Download
memory/668-81-0x0000000000403670-mapping.dmp

Download
memory/672-107-0x0000000000000000-mapping.dmp

Download
memory/672-111-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/728-294-0x0000000000000000-mapping.dmp

Download
memory/756-305-0x0000000000000000-mapping.dmp

Download
memory/756-310-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/776-307-0x0000000000000000-mapping.dmp

Download
memory/788-122-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/788-114-0x0000000000000000-mapping.dmp

Download
memory/804-191-0x0000000000000000-mapping.dmp

Download
memory/852-258-0x0000000000000000-mapping.dmp

Download
memory/860-209-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/860-203-0x0000000000000000-mapping.dmp

Download
memory/888-249-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/888-241-0x0000000000000000-mapping.dmp

Download
memory/916-147-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/916-143-0x0000000000000000-mapping.dmp

Download
memory/952-150-0x0000000000000000-mapping.dmp

Download
memory/952-158-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/960-235-0x0000000000000000-mapping.dmp

Download
memory/960-246-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/972-233-0x0000000000000000-mapping.dmp

Download
memory/972-245-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1056-308-0x0000000000000000-mapping.dmp

Download
memory/1056-313-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1084-60-0x00000000752F1000-0x00000000752F3000-memory.dmp

Filesize
8KB

Download
memory/1084-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1112-273-0x0000000000000000-mapping.dmp

Download
memory/1160-224-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1160-213-0x0000000000000000-mapping.dmp

Download
memory/1172-304-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1172-297-0x0000000000000000-mapping.dmp

Download
memory/1228-283-0x0000000000000000-mapping.dmp

Download
memory/1256-226-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1256-217-0x0000000000000000-mapping.dmp

Download
memory/1276-231-0x0000000000000000-mapping.dmp

Download
memory/1276-244-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1300-306-0x0000000000000000-mapping.dmp

Download
memory/1300-311-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1308-315-0x0000000000000000-mapping.dmp

Download
memory/1368-94-0x0000000000000000-mapping.dmp

Download
memory/1368-98-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1432-309-0x0000000000000000-mapping.dmp

Download
memory/1476-271-0x0000000000000000-mapping.dmp

Download
memory/1484-102-0x0000000000000000-mapping.dmp

Download
memory/1484-110-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1504-269-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1504-260-0x0000000000000000-mapping.dmp

Download
memory/1544-159-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1544-155-0x0000000000000000-mapping.dmp

Download
memory/1552-287-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1552-275-0x0000000000000000-mapping.dmp

Download
memory/1556-299-0x0000000000000000-mapping.dmp

Download
memory/1560-138-0x0000000000000000-mapping.dmp

Download
memory/1560-146-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1564-256-0x0000000000000000-mapping.dmp

Download
memory/1564-267-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1576-292-0x0000000000000000-mapping.dmp

Download
memory/1620-219-0x0000000000000000-mapping.dmp

Download
memory/1636-63-0x0000000000403670-mapping.dmp

Download
memory/1636-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-76-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1640-67-0x0000000000411000-mapping.dmp

Download
memory/1640-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1640-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1676-174-0x0000000000000000-mapping.dmp

Download
memory/1676-182-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1680-295-0x0000000000000000-mapping.dmp

Download
memory/1688-223-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1688-211-0x0000000000000000-mapping.dmp

Download
memory/1724-281-0x0000000000000000-mapping.dmp

Download
memory/1748-277-0x0000000000000000-mapping.dmp

Download
memory/1756-119-0x0000000000000000-mapping.dmp

Download
memory/1756-123-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1816-186-0x0000000000000000-mapping.dmp

Download
memory/1860-290-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1860-279-0x0000000000000000-mapping.dmp

Download
memory/1864-265-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1864-252-0x0000000000000000-mapping.dmp

Download
memory/1960-296-0x0000000000000000-mapping.dmp

Download
memory/2008-254-0x0000000000000000-mapping.dmp

Download
memory/2016-229-0x0000000000000000-mapping.dmp

Download
memory/2016-243-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2020-126-0x0000000000000000-mapping.dmp

Download
memory/2020-134-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2036-179-0x0000000000000000-mapping.dmp

Download
memory/2036-183-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2040-135-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2040-131-0x0000000000000000-mapping.dmp

Download