warzonerat | 90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9

Analysis

max time kernel
147s
max time network
137s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
Size

1.8MB
MD5

ab8b026c7402b5e0452ff0f915f2cb0f
SHA1

ca849caf19f9c87e2218f12d8c2c263f010b858f
SHA256

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9
SHA512

c896a625314f135ec0854f2ef80574efc21926c46a04224e6fa3f75342c8647963ee3d7e7538b2ac5352f2ad62f20d9e0bb86c8233289f8bded6ca52830cbbda

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1508	explorer.exe
3652	explorer.exe
3148	spoolsv.exe
3708	spoolsv.exe
1496	spoolsv.exe
2332	spoolsv.exe
2348	spoolsv.exe
3676	spoolsv.exe
1832	spoolsv.exe
2236	spoolsv.exe
684	spoolsv.exe
3444	spoolsv.exe
3164	spoolsv.exe
680	spoolsv.exe
2220	spoolsv.exe
2276	spoolsv.exe
1420	spoolsv.exe
3440	spoolsv.exe
3316	spoolsv.exe
1564	spoolsv.exe
1384	spoolsv.exe
3276	spoolsv.exe
1512	spoolsv.exe
3600	spoolsv.exe
2360	spoolsv.exe
3872	spoolsv.exe
2800	spoolsv.exe
1320	spoolsv.exe
3732	spoolsv.exe
2104	spoolsv.exe
1116	spoolsv.exe
2004	spoolsv.exe
2732	spoolsv.exe
4048	spoolsv.exe
192	spoolsv.exe
2212	spoolsv.exe
2196	spoolsv.exe
1072	spoolsv.exe
1300	spoolsv.exe
936	spoolsv.exe
2736	spoolsv.exe
1020	spoolsv.exe
2308	spoolsv.exe
848	spoolsv.exe
3852	spoolsv.exe
2156	spoolsv.exe
2304	spoolsv.exe
3728	spoolsv.exe
204	spoolsv.exe
3548	spoolsv.exe
3404	spoolsv.exe
3180	spoolsv.exe
4120	spoolsv.exe
4160	spoolsv.exe
4184	spoolsv.exe
4208	spoolsv.exe
4244	spoolsv.exe
4268	spoolsv.exe
4292	spoolsv.exe
4316	spoolsv.exe
4356	spoolsv.exe
4376	spoolsv.exe
4396	spoolsv.exe
4412	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 3892 set thread context of 3884	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 3892 set thread context of 3736	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	diskperf.exe
PID 1508 set thread context of 3652	1508	explorer.exe	explorer.exe
PID 1508 set thread context of 2424	1508	explorer.exe	diskperf.exe
PID 3148 set thread context of 6612	3148	spoolsv.exe	spoolsv.exe
PID 3148 set thread context of 6644	3148	spoolsv.exe	diskperf.exe
PID 3708 set thread context of 6684	3708	spoolsv.exe	spoolsv.exe
PID 3708 set thread context of 6728	3708	spoolsv.exe	diskperf.exe
PID 1496 set thread context of 6768	1496	spoolsv.exe	spoolsv.exe
PID 1496 set thread context of 6800	1496	spoolsv.exe	diskperf.exe
PID 2348 set thread context of 6832	2348	spoolsv.exe	spoolsv.exe
PID 2332 set thread context of 6848	2332	spoolsv.exe	spoolsv.exe
PID 2348 set thread context of 6876	2348	spoolsv.exe	diskperf.exe
PID 2332 set thread context of 6892	2332	spoolsv.exe	diskperf.exe
PID 3676 set thread context of 6908	3676	spoolsv.exe	spoolsv.exe
PID 3676 set thread context of 6964	3676	spoolsv.exe	diskperf.exe
PID 1832 set thread context of 6976	1832	spoolsv.exe	spoolsv.exe
PID 1832 set thread context of 7044	1832	spoolsv.exe	diskperf.exe
PID 2236 set thread context of 7056	2236	spoolsv.exe	spoolsv.exe
PID 684 set thread context of 7032	684	spoolsv.exe	spoolsv.exe
PID 684 set thread context of 7120	684	spoolsv.exe	diskperf.exe
PID 3444 set thread context of 7148	3444	spoolsv.exe	spoolsv.exe
PID 3444 set thread context of 7160	3444	spoolsv.exe	diskperf.exe
PID 3164 set thread context of 2688	3164	spoolsv.exe	spoolsv.exe
PID 3164 set thread context of 2788	3164	spoolsv.exe	diskperf.exe
PID 680 set thread context of 6708	680	spoolsv.exe	spoolsv.exe
PID 680 set thread context of 1156	680	spoolsv.exe	diskperf.exe
PID 2220 set thread context of 1652	2220	spoolsv.exe	spoolsv.exe
PID 2276 set thread context of 2076	2276	spoolsv.exe	spoolsv.exe
PID 2276 set thread context of 6824	2276	spoolsv.exe	diskperf.exe
PID 1420 set thread context of 6872	1420	spoolsv.exe	spoolsv.exe
PID 1420 set thread context of 2140	1420	spoolsv.exe	diskperf.exe
PID 3440 set thread context of 6836	3440	spoolsv.exe	spoolsv.exe
PID 3440 set thread context of 2396	3440	spoolsv.exe	diskperf.exe
PID 3316 set thread context of 1820	3316	spoolsv.exe	spoolsv.exe
PID 3316 set thread context of 6928	3316	spoolsv.exe	diskperf.exe
PID 1564 set thread context of 7084	1564	spoolsv.exe	spoolsv.exe
PID 1564 set thread context of 6992	1564	spoolsv.exe	diskperf.exe
PID 1384 set thread context of 200	1384	spoolsv.exe	spoolsv.exe
PID 1384 set thread context of 7128	1384	spoolsv.exe	diskperf.exe
PID 3276 set thread context of 3900	3276	spoolsv.exe	spoolsv.exe
PID 3276 set thread context of 6760	3276	spoolsv.exe	diskperf.exe
PID 1512 set thread context of 4228	1512	spoolsv.exe	spoolsv.exe
PID 3600 set thread context of 2268	3600	spoolsv.exe	spoolsv.exe
PID 2360 set thread context of 2720	2360	spoolsv.exe	spoolsv.exe
PID 2360 set thread context of 6904	2360	spoolsv.exe	diskperf.exe
PID 3872 set thread context of 1656	3872	spoolsv.exe	spoolsv.exe
PID 3872 set thread context of 4384	3872	spoolsv.exe	diskperf.exe
PID 2800 set thread context of 2692	2800	spoolsv.exe	spoolsv.exe
PID 2800 set thread context of 7088	2800	spoolsv.exe	diskperf.exe
PID 1320 set thread context of 7156	1320	spoolsv.exe	spoolsv.exe
PID 1320 set thread context of 7028	1320	spoolsv.exe	diskperf.exe
PID 3732 set thread context of 6748	3732	spoolsv.exe	spoolsv.exe
PID 3732 set thread context of 3900	3732	spoolsv.exe	diskperf.exe
PID 2104 set thread context of 1612	2104	spoolsv.exe	spoolsv.exe
PID 2104 set thread context of 6704	2104	spoolsv.exe	diskperf.exe
PID 1116 set thread context of 6856	1116	spoolsv.exe	spoolsv.exe
PID 1116 set thread context of 2268	1116	spoolsv.exe	diskperf.exe
PID 2004 set thread context of 2772	2004	spoolsv.exe	spoolsv.exe
PID 2004 set thread context of 576	2004	spoolsv.exe	diskperf.exe
PID 2732 set thread context of 4568	2732	spoolsv.exe	spoolsv.exe
PID 4048 set thread context of 4596	4048	spoolsv.exe	spoolsv.exe
PID 4048 set thread context of 3264	4048	spoolsv.exe	diskperf.exe
PID 192 set thread context of 3596	192	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exeexplorer.exe

pid	process
3884	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
3884	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3652 explorer.exe

pid	process
3652	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
3884	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
3884	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
3652	explorer.exe
6612	spoolsv.exe
6612	spoolsv.exe
6684	spoolsv.exe
6684	spoolsv.exe
6768	spoolsv.exe
6768	spoolsv.exe
6832	spoolsv.exe
6848	spoolsv.exe
6832	spoolsv.exe
6908	spoolsv.exe
6848	spoolsv.exe
6908	spoolsv.exe
6976	spoolsv.exe
6976	spoolsv.exe
7032	spoolsv.exe
7032	spoolsv.exe
7056	spoolsv.exe
7056	spoolsv.exe
7148	spoolsv.exe
7148	spoolsv.exe
2688	spoolsv.exe
2688	spoolsv.exe
6708	spoolsv.exe
6708	spoolsv.exe
1652	spoolsv.exe
1652	spoolsv.exe
2076	spoolsv.exe
2076	spoolsv.exe
6872	spoolsv.exe
6872	spoolsv.exe
6836	spoolsv.exe
6836	spoolsv.exe
1820	spoolsv.exe
1820	spoolsv.exe
7084	spoolsv.exe
7084	spoolsv.exe
200	spoolsv.exe
200	spoolsv.exe
3900	spoolsv.exe
3900	spoolsv.exe
4228	spoolsv.exe
4228	spoolsv.exe
2268	spoolsv.exe
2268	spoolsv.exe
2720	spoolsv.exe
2720	spoolsv.exe
1656	spoolsv.exe
1656	spoolsv.exe
2692	spoolsv.exe
2692	spoolsv.exe
7156	spoolsv.exe
7156	spoolsv.exe
6748	spoolsv.exe
6748	spoolsv.exe
1612	spoolsv.exe
1612	spoolsv.exe
6856	spoolsv.exe
6856	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3892 wrote to memory of 3884	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 3892 wrote to memory of 3884	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 3892 wrote to memory of 3884	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 3892 wrote to memory of 3884	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 3892 wrote to memory of 3884	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 3892 wrote to memory of 3884	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 3892 wrote to memory of 3884	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 3892 wrote to memory of 3884	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
PID 3892 wrote to memory of 3736	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	diskperf.exe
PID 3892 wrote to memory of 3736	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	diskperf.exe
PID 3892 wrote to memory of 3736	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	diskperf.exe
PID 3892 wrote to memory of 3736	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	diskperf.exe
PID 3892 wrote to memory of 3736	3892	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	diskperf.exe
PID 3884 wrote to memory of 1508	3884	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	explorer.exe
PID 3884 wrote to memory of 1508	3884	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	explorer.exe
PID 3884 wrote to memory of 1508	3884	90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe	explorer.exe
PID 1508 wrote to memory of 3652	1508	explorer.exe	explorer.exe
PID 1508 wrote to memory of 3652	1508	explorer.exe	explorer.exe
PID 1508 wrote to memory of 3652	1508	explorer.exe	explorer.exe
PID 1508 wrote to memory of 3652	1508	explorer.exe	explorer.exe
PID 1508 wrote to memory of 3652	1508	explorer.exe	explorer.exe
PID 1508 wrote to memory of 3652	1508	explorer.exe	explorer.exe
PID 1508 wrote to memory of 3652	1508	explorer.exe	explorer.exe
PID 1508 wrote to memory of 3652	1508	explorer.exe	explorer.exe
PID 1508 wrote to memory of 2424	1508	explorer.exe	diskperf.exe
PID 1508 wrote to memory of 2424	1508	explorer.exe	diskperf.exe
PID 1508 wrote to memory of 2424	1508	explorer.exe	diskperf.exe
PID 1508 wrote to memory of 2424	1508	explorer.exe	diskperf.exe
PID 1508 wrote to memory of 2424	1508	explorer.exe	diskperf.exe
PID 3652 wrote to memory of 3148	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 3148	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 3148	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 3708	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 3708	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 3708	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 1496	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 1496	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 1496	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 2332	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 2332	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 2332	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 2348	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 2348	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 2348	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 3676	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 3676	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 3676	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 1832	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 1832	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 1832	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 2236	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 2236	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 2236	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 684	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 684	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 684	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 3444	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 3444	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 3444	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 3164	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 3164	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 3164	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 680	3652	explorer.exe	spoolsv.exe
PID 3652 wrote to memory of 680	3652	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
"C:\Users\Admin\AppData\Local\Temp\90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3892

C:\Users\Admin\AppData\Local\Temp\90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe
"C:\Users\Admin\AppData\Local\Temp\90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3884

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1508

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6612

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6752

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6684

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2332

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6832

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6908

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6976

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2236

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:684

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7148

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1952

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2688

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6708

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1652

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6628

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2076

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6872

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6932

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6836

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4116

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1820

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7084

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3136

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:200

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3900

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6708

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4228

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4044

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2268

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6720

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2720

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6972

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1656

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7016

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2692

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7156

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4468

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6748

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4500

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1612

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3776

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6856

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2772

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4568

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4112

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4596

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1924

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3596

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2692

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4664

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4676

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4708

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4724

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:6808

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4772

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:6864

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2072

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3168

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3688

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4368

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1308

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4600

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2804

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3352

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2200

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:380

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3500

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4756

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4788

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5056

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4828

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3808

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4136

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4920

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4040

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4952

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4692

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4304

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1284

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3644

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2808

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1368

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4828

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5184

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5204

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5232

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5272

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4256

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5032

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5320

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4804

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4188

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4072

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3860

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5204

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4056

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5252

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3956

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4312

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5304

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1656

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3784

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5532

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4492

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6516

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:2424

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:3736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
ab8b026c7402b5e0452ff0f915f2cb0f

SHA1
ca849caf19f9c87e2218f12d8c2c263f010b858f

SHA256
90e34c74bec2e84fa0a134d4204f4ae6c5373eb539d384072db0e42370d7d2e9

SHA512
c896a625314f135ec0854f2ef80574efc21926c46a04224e6fa3f75342c8647963ee3d7e7538b2ac5352f2ad62f20d9e0bb86c8233289f8bded6ca52830cbbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
6f80a48afd042d0e2701c9ced8f4138c

SHA1
ec26fbfaefac29fcf030af286d52fe4f97d90dd4

SHA256
15681247af8ae49206693e96637df4312093ddb596f37e409e41878840b401fb

SHA512
ab5779b6e7d00276ff4492d5081a4ff93cb7c4e201cb766fea02b70f3facc68c8c7ae73b429f86d9d6231766e0e41b757af26ee4efb89ea15a6c5aaf5608003e

Download Submit
C:\Windows\System\explorer.exe
MD5
6f80a48afd042d0e2701c9ced8f4138c

SHA1
ec26fbfaefac29fcf030af286d52fe4f97d90dd4

SHA256
15681247af8ae49206693e96637df4312093ddb596f37e409e41878840b401fb

SHA512
ab5779b6e7d00276ff4492d5081a4ff93cb7c4e201cb766fea02b70f3facc68c8c7ae73b429f86d9d6231766e0e41b757af26ee4efb89ea15a6c5aaf5608003e

Download Submit
C:\Windows\System\explorer.exe
MD5
6f80a48afd042d0e2701c9ced8f4138c

SHA1
ec26fbfaefac29fcf030af286d52fe4f97d90dd4

SHA256
15681247af8ae49206693e96637df4312093ddb596f37e409e41878840b401fb

SHA512
ab5779b6e7d00276ff4492d5081a4ff93cb7c4e201cb766fea02b70f3facc68c8c7ae73b429f86d9d6231766e0e41b757af26ee4efb89ea15a6c5aaf5608003e

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
\??\c:\windows\system\explorer.exe
MD5
6f80a48afd042d0e2701c9ced8f4138c

SHA1
ec26fbfaefac29fcf030af286d52fe4f97d90dd4

SHA256
15681247af8ae49206693e96637df4312093ddb596f37e409e41878840b401fb

SHA512
ab5779b6e7d00276ff4492d5081a4ff93cb7c4e201cb766fea02b70f3facc68c8c7ae73b429f86d9d6231766e0e41b757af26ee4efb89ea15a6c5aaf5608003e

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
a2d8c3dc437c9479b07573af0d7efa79

SHA1
5800bf86058d09d08b983b816636a9cc124a99cf

SHA256
647ea4bcda7cf677f5ae9dd2749fa4bb114df2b55d2ccd41156a089e3954ab19

SHA512
1c11aabf51539c5b0eca0c785faaf9289d489c939b186bab5b0a1cdd0d7391a293019c8e6a0eae61c037fdd02cca678e50ffb3b455dd99148720ea99ac2f06b0

Download Submit
memory/192-241-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/192-238-0x0000000000000000-mapping.dmp

Download
memory/204-281-0x0000000000000000-mapping.dmp

Download
memory/204-284-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/680-176-0x0000000000000000-mapping.dmp

Download
memory/680-179-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/684-169-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/684-166-0x0000000000000000-mapping.dmp

Download
memory/848-267-0x0000000000000000-mapping.dmp

Download
memory/848-275-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/936-263-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/936-255-0x0000000000000000-mapping.dmp

Download
memory/1020-259-0x0000000000000000-mapping.dmp

Download
memory/1020-262-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/1072-251-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1072-248-0x0000000000000000-mapping.dmp

Download
memory/1116-230-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1116-227-0x0000000000000000-mapping.dmp

Download
memory/1300-261-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1300-253-0x0000000000000000-mapping.dmp

Download
memory/1320-221-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1320-218-0x0000000000000000-mapping.dmp

Download
memory/1384-201-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1384-196-0x0000000000000000-mapping.dmp

Download
memory/1420-190-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1420-185-0x0000000000000000-mapping.dmp

Download
memory/1496-150-0x0000000000000000-mapping.dmp

Download
memory/1496-158-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1508-129-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1508-124-0x0000000000000000-mapping.dmp

Download
memory/1512-210-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1512-204-0x0000000000000000-mapping.dmp

Download
memory/1564-194-0x0000000000000000-mapping.dmp

Download
memory/1564-200-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1832-162-0x0000000000000000-mapping.dmp

Download
memory/1832-170-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2004-240-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/2004-232-0x0000000000000000-mapping.dmp

Download
memory/2104-225-0x0000000000000000-mapping.dmp

Download
memory/2104-231-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2156-271-0x0000000000000000-mapping.dmp

Download
memory/2156-274-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/2196-246-0x0000000000000000-mapping.dmp

Download
memory/2196-252-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2212-250-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2212-244-0x0000000000000000-mapping.dmp

Download
memory/2220-187-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2220-181-0x0000000000000000-mapping.dmp

Download
memory/2236-164-0x0000000000000000-mapping.dmp

Download
memory/2236-171-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2276-188-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2276-183-0x0000000000000000-mapping.dmp

Download
memory/2304-277-0x0000000000000000-mapping.dmp

Download
memory/2304-283-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2308-265-0x0000000000000000-mapping.dmp

Download
memory/2308-273-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2332-152-0x0000000000000000-mapping.dmp

Download
memory/2332-159-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2348-154-0x0000000000000000-mapping.dmp

Download
memory/2348-157-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2360-213-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2360-209-0x0000000000000000-mapping.dmp

Download
memory/2424-136-0x0000000000411000-mapping.dmp

Download
memory/2732-242-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2732-234-0x0000000000000000-mapping.dmp

Download
memory/2736-264-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2736-257-0x0000000000000000-mapping.dmp

Download
memory/2800-216-0x0000000000000000-mapping.dmp

Download
memory/2800-222-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/3148-146-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3148-142-0x0000000000000000-mapping.dmp

Download
memory/3164-180-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3164-174-0x0000000000000000-mapping.dmp

Download
memory/3180-290-0x0000000000000000-mapping.dmp

Download
memory/3180-297-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3276-208-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3276-202-0x0000000000000000-mapping.dmp

Download
memory/3316-199-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3316-192-0x0000000000000000-mapping.dmp

Download
memory/3404-296-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3404-288-0x0000000000000000-mapping.dmp

Download
memory/3440-198-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3440-189-0x0000000000000000-mapping.dmp

Download
memory/3444-178-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3444-172-0x0000000000000000-mapping.dmp

Download
memory/3548-286-0x0000000000000000-mapping.dmp

Download
memory/3548-294-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3600-206-0x0000000000000000-mapping.dmp

Download
memory/3600-212-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3652-131-0x0000000000403670-mapping.dmp

Download
memory/3676-160-0x0000000000000000-mapping.dmp

Download
memory/3676-168-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3708-156-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3708-148-0x0000000000000000-mapping.dmp

Download
memory/3728-279-0x0000000000000000-mapping.dmp

Download
memory/3728-285-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3732-223-0x0000000000000000-mapping.dmp

Download
memory/3732-229-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/3736-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3736-118-0x0000000000411000-mapping.dmp

Download
memory/3736-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3852-269-0x0000000000000000-mapping.dmp

Download
memory/3852-276-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3872-220-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3872-214-0x0000000000000000-mapping.dmp

Download
memory/3884-116-0x0000000000403670-mapping.dmp

Download
memory/3884-126-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3884-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3892-114-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/4048-243-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/4048-236-0x0000000000000000-mapping.dmp

Download
memory/4120-295-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/4120-292-0x0000000000000000-mapping.dmp

Download
memory/4160-304-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4160-298-0x0000000000000000-mapping.dmp

Download
memory/4184-305-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4184-300-0x0000000000000000-mapping.dmp

Download
memory/4208-306-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4208-302-0x0000000000000000-mapping.dmp

Download
memory/4244-307-0x0000000000000000-mapping.dmp

Download
memory/4244-315-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4268-309-0x0000000000000000-mapping.dmp

Download
memory/4268-317-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4292-311-0x0000000000000000-mapping.dmp

Download
memory/4292-318-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4316-313-0x0000000000000000-mapping.dmp

Download
memory/4316-316-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4356-319-0x0000000000000000-mapping.dmp

Download