warzonerat | de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d

Analysis

max time kernel
152s
max time network
138s
platform
windows7_x64
resource
win7v20210408
submitted
04-05-2021 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
Size

1.8MB
MD5

c0d072c9682cb4130d3b044861995ba4
SHA1

366d92adc3cac4f67bbdb8c06ebbfdc5fb3b8f1c
SHA256

de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d
SHA512

4ac190c63b481b76f5b9c2b3ef9ff65a733152535f7be4969f2078982e32045061def139d8e86fc895cfa7ed55b5cc88a36d4db6cfa64e81a48e0717f2376e69

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1624	explorer.exe
820	explorer.exe
1636	spoolsv.exe
296	spoolsv.exe
976	spoolsv.exe
1556	spoolsv.exe
880	spoolsv.exe
1604	spoolsv.exe
1312	spoolsv.exe
964	spoolsv.exe
1972	spoolsv.exe
1388	spoolsv.exe
1088	spoolsv.exe
324	spoolsv.exe
1176	spoolsv.exe
1504	spoolsv.exe
1400	spoolsv.exe
724	spoolsv.exe
532	spoolsv.exe
1520	spoolsv.exe
832	spoolsv.exe
1352	spoolsv.exe
1676	spoolsv.exe
1948	spoolsv.exe
1840	spoolsv.exe
1596	spoolsv.exe
1704	spoolsv.exe
912	spoolsv.exe
972	spoolsv.exe
944	spoolsv.exe
1328	spoolsv.exe
1412	spoolsv.exe
1396	spoolsv.exe
1568	spoolsv.exe
1488	spoolsv.exe
1100	spoolsv.exe
2032	spoolsv.exe
1812	spoolsv.exe
1920	spoolsv.exe
400	spoolsv.exe
792	spoolsv.exe
2040	spoolsv.exe
1712	spoolsv.exe
1688	spoolsv.exe
1508	spoolsv.exe
1644	spoolsv.exe
1700	spoolsv.exe
1552	spoolsv.exe
1928	spoolsv.exe
328	spoolsv.exe
1172	spoolsv.exe
1060	spoolsv.exe
1112	spoolsv.exe
1380	spoolsv.exe
752	spoolsv.exe
1052	spoolsv.exe
1624	spoolsv.exe
856	spoolsv.exe
1744	spoolsv.exe
1944	spoolsv.exe
1976	spoolsv.exe
1436	spoolsv.exe
268	spoolsv.exe
648	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exeexplorer.exe

pid	process
1532	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
1532	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe

Adds Run key to start application 2 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exede718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 56 IoCs

Processes:

de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1096 set thread context of 1532	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
PID 1096 set thread context of 1224	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	diskperf.exe
PID 1624 set thread context of 820	1624	explorer.exe	explorer.exe
PID 1624 set thread context of 1740	1624	explorer.exe	diskperf.exe
PID 1636 set thread context of 3352	1636	spoolsv.exe	spoolsv.exe
PID 1636 set thread context of 3368	1636	spoolsv.exe	diskperf.exe
PID 296 set thread context of 3408	296	spoolsv.exe	spoolsv.exe
PID 296 set thread context of 3416	296	spoolsv.exe	diskperf.exe
PID 976 set thread context of 3444	976	spoolsv.exe	spoolsv.exe
PID 976 set thread context of 3452	976	spoolsv.exe	diskperf.exe
PID 1556 set thread context of 3480	1556	spoolsv.exe	spoolsv.exe
PID 1556 set thread context of 3488	1556	spoolsv.exe	diskperf.exe
PID 880 set thread context of 3520	880	spoolsv.exe	spoolsv.exe
PID 880 set thread context of 3528	880	spoolsv.exe	diskperf.exe
PID 1604 set thread context of 3556	1604	spoolsv.exe	spoolsv.exe
PID 1604 set thread context of 3564	1604	spoolsv.exe	diskperf.exe
PID 1312 set thread context of 3592	1312	spoolsv.exe	spoolsv.exe
PID 1312 set thread context of 3600	1312	spoolsv.exe	diskperf.exe
PID 964 set thread context of 3628	964	spoolsv.exe	spoolsv.exe
PID 964 set thread context of 3636	964	spoolsv.exe	diskperf.exe
PID 1972 set thread context of 3664	1972	spoolsv.exe	spoolsv.exe
PID 1972 set thread context of 3672	1972	spoolsv.exe	diskperf.exe
PID 1388 set thread context of 3700	1388	spoolsv.exe	spoolsv.exe
PID 1388 set thread context of 3708	1388	spoolsv.exe	diskperf.exe
PID 1088 set thread context of 3736	1088	spoolsv.exe	spoolsv.exe
PID 1088 set thread context of 3744	1088	spoolsv.exe	diskperf.exe
PID 324 set thread context of 3772	324	spoolsv.exe	spoolsv.exe
PID 324 set thread context of 3780	324	spoolsv.exe	diskperf.exe
PID 1176 set thread context of 3808	1176	spoolsv.exe	spoolsv.exe
PID 1176 set thread context of 3816	1176	spoolsv.exe	diskperf.exe
PID 1504 set thread context of 3848	1504	spoolsv.exe	spoolsv.exe
PID 1504 set thread context of 3856	1504	spoolsv.exe	diskperf.exe
PID 1400 set thread context of 3876	1400	spoolsv.exe	spoolsv.exe
PID 1400 set thread context of 3884	1400	spoolsv.exe	diskperf.exe
PID 724 set thread context of 3912	724	spoolsv.exe	spoolsv.exe
PID 724 set thread context of 3920	724	spoolsv.exe	diskperf.exe
PID 532 set thread context of 3940	532	spoolsv.exe	spoolsv.exe
PID 532 set thread context of 3948	532	spoolsv.exe	diskperf.exe
PID 1520 set thread context of 3968	1520	spoolsv.exe	spoolsv.exe
PID 1520 set thread context of 3976	1520	spoolsv.exe	diskperf.exe
PID 832 set thread context of 3996	832	spoolsv.exe	spoolsv.exe
PID 1352 set thread context of 4024	1352	spoolsv.exe	spoolsv.exe
PID 832 set thread context of 4016	832	spoolsv.exe	diskperf.exe
PID 1352 set thread context of 4032	1352	spoolsv.exe	diskperf.exe
PID 1676 set thread context of 4044	1676	spoolsv.exe	spoolsv.exe
PID 1676 set thread context of 4072	1676	spoolsv.exe	diskperf.exe
PID 1948 set thread context of 4052	1948	spoolsv.exe	spoolsv.exe
PID 1596 set thread context of 4080	1596	spoolsv.exe	spoolsv.exe
PID 1840 set thread context of 3384	1840	spoolsv.exe	spoolsv.exe
PID 1840 set thread context of 3356	1840	spoolsv.exe	diskperf.exe
PID 1948 set thread context of 4088	1948	spoolsv.exe	diskperf.exe
PID 1596 set thread context of 720	1596	spoolsv.exe	diskperf.exe
PID 1704 set thread context of 3424	1704	spoolsv.exe	spoolsv.exe
PID 912 set thread context of 3468	912	spoolsv.exe	diskperf.exe
PID 912 set thread context of 1964	912	spoolsv.exe	diskperf.exe
PID 1704 set thread context of 3460	1704	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exeexplorer.exe

pid	process
1532	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

820 explorer.exe

pid	process
820	explorer.exe

Suspicious use of SetWindowsHookEx 58 IoCs

Processes:

pid	process
1532	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
1532	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
820	explorer.exe
3352	spoolsv.exe
3352	spoolsv.exe
3408	spoolsv.exe
3408	spoolsv.exe
3444	spoolsv.exe
3444	spoolsv.exe
3480	spoolsv.exe
3480	spoolsv.exe
3520	spoolsv.exe
3520	spoolsv.exe
3556	spoolsv.exe
3556	spoolsv.exe
3592	spoolsv.exe
3592	spoolsv.exe
3628	spoolsv.exe
3628	spoolsv.exe
3664	spoolsv.exe
3664	spoolsv.exe
3700	spoolsv.exe
3700	spoolsv.exe
3736	spoolsv.exe
3736	spoolsv.exe
3772	spoolsv.exe
3772	spoolsv.exe
3808	spoolsv.exe
3808	spoolsv.exe
3848	spoolsv.exe
3848	spoolsv.exe
3876	spoolsv.exe
3876	spoolsv.exe
3912	spoolsv.exe
3912	spoolsv.exe
3940	spoolsv.exe
3940	spoolsv.exe
3968	spoolsv.exe
3968	spoolsv.exe
3996	spoolsv.exe
3996	spoolsv.exe
4024	spoolsv.exe
4024	spoolsv.exe
4044	spoolsv.exe
4044	spoolsv.exe
4080	spoolsv.exe
4080	spoolsv.exe
4052	spoolsv.exe
4052	spoolsv.exe
3384	spoolsv.exe
3384	spoolsv.exe
3468	diskperf.exe
3424	spoolsv.exe
3468	diskperf.exe
3424	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exede718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1096 wrote to memory of 1532	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
PID 1096 wrote to memory of 1532	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
PID 1096 wrote to memory of 1532	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
PID 1096 wrote to memory of 1532	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
PID 1096 wrote to memory of 1532	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
PID 1096 wrote to memory of 1532	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
PID 1096 wrote to memory of 1532	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
PID 1096 wrote to memory of 1532	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
PID 1096 wrote to memory of 1532	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
PID 1096 wrote to memory of 1224	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	diskperf.exe
PID 1096 wrote to memory of 1224	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	diskperf.exe
PID 1096 wrote to memory of 1224	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	diskperf.exe
PID 1096 wrote to memory of 1224	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	diskperf.exe
PID 1096 wrote to memory of 1224	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	diskperf.exe
PID 1096 wrote to memory of 1224	1096	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	diskperf.exe
PID 1532 wrote to memory of 1624	1532	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	explorer.exe
PID 1532 wrote to memory of 1624	1532	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	explorer.exe
PID 1532 wrote to memory of 1624	1532	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	explorer.exe
PID 1532 wrote to memory of 1624	1532	de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe	explorer.exe
PID 1624 wrote to memory of 820	1624	explorer.exe	explorer.exe
PID 1624 wrote to memory of 820	1624	explorer.exe	explorer.exe
PID 1624 wrote to memory of 820	1624	explorer.exe	explorer.exe
PID 1624 wrote to memory of 820	1624	explorer.exe	explorer.exe
PID 1624 wrote to memory of 820	1624	explorer.exe	explorer.exe
PID 1624 wrote to memory of 820	1624	explorer.exe	explorer.exe
PID 1624 wrote to memory of 820	1624	explorer.exe	explorer.exe
PID 1624 wrote to memory of 820	1624	explorer.exe	explorer.exe
PID 1624 wrote to memory of 820	1624	explorer.exe	explorer.exe
PID 1624 wrote to memory of 1740	1624	explorer.exe	diskperf.exe
PID 1624 wrote to memory of 1740	1624	explorer.exe	diskperf.exe
PID 1624 wrote to memory of 1740	1624	explorer.exe	diskperf.exe
PID 1624 wrote to memory of 1740	1624	explorer.exe	diskperf.exe
PID 1624 wrote to memory of 1740	1624	explorer.exe	diskperf.exe
PID 1624 wrote to memory of 1740	1624	explorer.exe	diskperf.exe
PID 820 wrote to memory of 1636	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1636	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1636	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1636	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 296	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 296	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 296	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 296	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 976	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 976	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 976	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 976	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1556	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1556	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1556	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1556	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 880	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 880	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 880	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 880	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1604	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1604	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1604	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1604	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1312	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1312	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1312	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 1312	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 964	820	explorer.exe	spoolsv.exe
PID 820 wrote to memory of 964	820	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
"C:\Users\Admin\AppData\Local\Temp\de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe
  "C:\Users\Admin\AppData\Local\Temp\de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1532
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1636
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3352
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3400
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:296
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3408
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3428
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:976
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3444
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3472
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1556
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3480
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3500
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:880
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3520
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3540
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1604
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3556
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3576
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1312
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3592
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3620
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:964
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3628
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3648
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1972
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3664
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3684
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1388
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3700
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3720
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1088
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3736
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3756
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:324
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3772
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3792
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1176
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3808
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3836
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1504
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3848
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3868
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1400
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3876
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3896
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:724
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3912
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3932
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:532
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3940
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3960
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1520
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3968
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3988
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:832
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4016
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1352
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4024
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1676
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4044
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4064
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1948
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4052
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1840
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3384
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3412
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1596
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:720
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1704
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3424
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:912
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3468
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3496
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:972
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1912
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3588
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:944
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3552
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1328
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3560
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1412
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3608
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1396
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:360
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1568
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1496
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1488
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3716
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1100
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3668
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2032
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3764
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1812
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3740
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1992
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1920
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3812
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:400
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3852
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3880
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:792
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3972
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2040
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1612
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4000
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1712
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3956
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1688
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4028
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1508
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1384
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1644
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3380
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1700
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3468
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1552
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2028
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3592
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1928
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1996
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3632
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:328
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3704
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1172
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1480
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1060
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1652
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1988
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1112
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3812
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:800
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1380
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1192
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3928
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:752
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1056
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1092
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1052
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4028
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1624
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3424
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1496
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:856
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3512
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1744
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3584
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1944
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1968
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1976
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2008
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3736
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1436
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3828
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:268
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1216
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:648
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3912
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1632
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:544
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1408
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:364
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1664
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3464
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1936
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1492
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1720
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1240
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1876
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:764
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1320
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1216
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:796
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:364
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1136
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:564
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2008
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3512
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1580
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:288
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1104
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3752
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:512
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1492
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3392
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:1740
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:1224

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:4008

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:1900

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:1584

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:1904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
c0d072c9682cb4130d3b044861995ba4

SHA1
366d92adc3cac4f67bbdb8c06ebbfdc5fb3b8f1c

SHA256
de718920ebf13c6b82d03f4e9094c3337ea5c6f9b8cdedf6a957b3f73c9a930d

SHA512
4ac190c63b481b76f5b9c2b3ef9ff65a733152535f7be4969f2078982e32045061def139d8e86fc895cfa7ed55b5cc88a36d4db6cfa64e81a48e0717f2376e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
3dbc8fc8df4b6fd1d63819b6e02be21b

SHA1
8aee7e9c9f393a98f88b484000ff6bd37c6ae080

SHA256
c33fc7b5c1a9a761b2a90b6aa07c340605adc51c7551244295ee00dbba3245ef

SHA512
e47d5a45a028bb41f89a1bf633644da28b0173d17eea4a71940493cf2c378389d9e617a08c7eeb73c7c5646c4f6ddb220281834884c612db93f44cd7f4f790ab

Download Submit
C:\Windows\system\explorer.exe

MD5
3dbc8fc8df4b6fd1d63819b6e02be21b

SHA1
8aee7e9c9f393a98f88b484000ff6bd37c6ae080

SHA256
c33fc7b5c1a9a761b2a90b6aa07c340605adc51c7551244295ee00dbba3245ef

SHA512
e47d5a45a028bb41f89a1bf633644da28b0173d17eea4a71940493cf2c378389d9e617a08c7eeb73c7c5646c4f6ddb220281834884c612db93f44cd7f4f790ab

Download Submit
C:\Windows\system\explorer.exe

MD5
3dbc8fc8df4b6fd1d63819b6e02be21b

SHA1
8aee7e9c9f393a98f88b484000ff6bd37c6ae080

SHA256
c33fc7b5c1a9a761b2a90b6aa07c340605adc51c7551244295ee00dbba3245ef

SHA512
e47d5a45a028bb41f89a1bf633644da28b0173d17eea4a71940493cf2c378389d9e617a08c7eeb73c7c5646c4f6ddb220281834884c612db93f44cd7f4f790ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
C:\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\??\c:\windows\system\explorer.exe

MD5
3dbc8fc8df4b6fd1d63819b6e02be21b

SHA1
8aee7e9c9f393a98f88b484000ff6bd37c6ae080

SHA256
c33fc7b5c1a9a761b2a90b6aa07c340605adc51c7551244295ee00dbba3245ef

SHA512
e47d5a45a028bb41f89a1bf633644da28b0173d17eea4a71940493cf2c378389d9e617a08c7eeb73c7c5646c4f6ddb220281834884c612db93f44cd7f4f790ab

Download Submit
\Windows\system\explorer.exe

MD5
3dbc8fc8df4b6fd1d63819b6e02be21b

SHA1
8aee7e9c9f393a98f88b484000ff6bd37c6ae080

SHA256
c33fc7b5c1a9a761b2a90b6aa07c340605adc51c7551244295ee00dbba3245ef

SHA512
e47d5a45a028bb41f89a1bf633644da28b0173d17eea4a71940493cf2c378389d9e617a08c7eeb73c7c5646c4f6ddb220281834884c612db93f44cd7f4f790ab

Download Submit
\Windows\system\explorer.exe

MD5
3dbc8fc8df4b6fd1d63819b6e02be21b

SHA1
8aee7e9c9f393a98f88b484000ff6bd37c6ae080

SHA256
c33fc7b5c1a9a761b2a90b6aa07c340605adc51c7551244295ee00dbba3245ef

SHA512
e47d5a45a028bb41f89a1bf633644da28b0173d17eea4a71940493cf2c378389d9e617a08c7eeb73c7c5646c4f6ddb220281834884c612db93f44cd7f4f790ab

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
\Windows\system\spoolsv.exe

MD5
84a8b26d047a1727c5937af387f6acb4

SHA1
a5b7722637420114ace5bd52e0a2a22c136f3dac

SHA256
33e653010751b7e77835748c3122166da8cab7c4688b5710eb1ff5e032880e3c

SHA512
bf70dec47567787798d325bd65ddc4027f434957e9267fce371644277ea3acb0e00695aa9679096eac9d4b0983cad799edf511ca3ca319a8d4d454854f5b06e2

Download Submit
memory/296-110-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/296-102-0x0000000000000000-mapping.dmp

Download
memory/324-175-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/324-161-0x0000000000000000-mapping.dmp

Download
memory/328-292-0x0000000000000000-mapping.dmp

Download
memory/328-300-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/400-256-0x0000000000000000-mapping.dmp

Download
memory/400-267-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/532-195-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/532-190-0x0000000000000000-mapping.dmp

Download
memory/724-185-0x0000000000000000-mapping.dmp

Download
memory/724-194-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/752-305-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/752-298-0x0000000000000000-mapping.dmp

Download
memory/792-259-0x0000000000000000-mapping.dmp

Download
memory/792-266-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/820-81-0x0000000000403670-mapping.dmp

Download
memory/832-203-0x0000000000000000-mapping.dmp

Download
memory/832-215-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/856-308-0x0000000000000000-mapping.dmp

Download
memory/856-313-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/880-123-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/880-119-0x0000000000000000-mapping.dmp

Download
memory/912-224-0x0000000000000000-mapping.dmp

Download
memory/912-239-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/944-241-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/944-228-0x0000000000000000-mapping.dmp

Download
memory/964-146-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/964-138-0x0000000000000000-mapping.dmp

Download
memory/972-240-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/972-226-0x0000000000000000-mapping.dmp

Download
memory/976-111-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/976-107-0x0000000000000000-mapping.dmp

Download
memory/1052-306-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1052-299-0x0000000000000000-mapping.dmp

Download
memory/1060-302-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1060-295-0x0000000000000000-mapping.dmp

Download
memory/1088-162-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/1088-155-0x0000000000000000-mapping.dmp

Download
memory/1096-61-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1096-60-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1100-248-0x0000000000000000-mapping.dmp

Download
memory/1112-296-0x0000000000000000-mapping.dmp

Download
memory/1112-303-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1172-294-0x0000000000000000-mapping.dmp

Download
memory/1172-301-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1176-179-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1176-167-0x0000000000000000-mapping.dmp

Download
memory/1224-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1224-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1224-69-0x0000000000411000-mapping.dmp

Download
memory/1312-131-0x0000000000000000-mapping.dmp

Download
memory/1328-242-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1328-230-0x0000000000000000-mapping.dmp

Download
memory/1352-207-0x0000000000000000-mapping.dmp

Download
memory/1352-216-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1380-304-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1380-297-0x0000000000000000-mapping.dmp

Download
memory/1388-150-0x0000000000000000-mapping.dmp

Download
memory/1388-159-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1396-237-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1396-234-0x0000000000000000-mapping.dmp

Download
memory/1400-193-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1400-178-0x0000000000000000-mapping.dmp

Download
memory/1412-232-0x0000000000000000-mapping.dmp

Download
memory/1412-243-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1488-260-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1488-246-0x0000000000000000-mapping.dmp

Download
memory/1504-180-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1504-172-0x0000000000000000-mapping.dmp

Download
memory/1508-274-0x0000000000000000-mapping.dmp

Download
memory/1508-287-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1520-198-0x0000000000000000-mapping.dmp

Download
memory/1520-206-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1532-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1532-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1532-63-0x0000000000403670-mapping.dmp

Download
memory/1552-290-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1552-280-0x0000000000000000-mapping.dmp

Download
memory/1556-114-0x0000000000000000-mapping.dmp

Download
memory/1556-122-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1568-258-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1568-244-0x0000000000000000-mapping.dmp

Download
memory/1596-220-0x0000000000000000-mapping.dmp

Download
memory/1604-126-0x0000000000000000-mapping.dmp

Download
memory/1604-134-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1624-74-0x0000000000000000-mapping.dmp

Download
memory/1624-312-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1624-78-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1624-307-0x0000000000000000-mapping.dmp

Download
memory/1636-99-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1636-94-0x0000000000000000-mapping.dmp

Download
memory/1644-276-0x0000000000000000-mapping.dmp

Download
memory/1644-288-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1676-209-0x0000000000000000-mapping.dmp

Download
memory/1676-217-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1688-272-0x0000000000000000-mapping.dmp

Download
memory/1688-286-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1700-278-0x0000000000000000-mapping.dmp

Download
memory/1700-289-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1704-222-0x0000000000000000-mapping.dmp

Download
memory/1704-238-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1712-270-0x0000000000000000-mapping.dmp

Download
memory/1740-86-0x0000000000411000-mapping.dmp

Download
memory/1744-309-0x0000000000000000-mapping.dmp

Download
memory/1812-252-0x0000000000000000-mapping.dmp

Download
memory/1840-219-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1840-213-0x0000000000000000-mapping.dmp

Download
memory/1920-254-0x0000000000000000-mapping.dmp

Download
memory/1928-282-0x0000000000000000-mapping.dmp

Download
memory/1944-310-0x0000000000000000-mapping.dmp

Download
memory/1948-211-0x0000000000000000-mapping.dmp

Download
memory/1948-218-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1972-143-0x0000000000000000-mapping.dmp

Download
memory/1972-147-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1976-311-0x0000000000000000-mapping.dmp

Download
memory/2032-250-0x0000000000000000-mapping.dmp

Download
memory/2032-262-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2040-284-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2040-268-0x0000000000000000-mapping.dmp

Download