warzonerat | 33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5

Analysis

max time kernel
150s
max time network
116s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9e4fdb4_by_Libranalysis.exe
Size

1.8MB
MD5

b9e4fdb4f1d1e50fb2b1bc6f8e648e91
SHA1

afe3e9370a5fb240ae917a9089fc07b6a54a7bd6
SHA256

33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5
SHA512

ff4f45aca5c634e0e64623c8dd1e5521b502713166c5cc01699d3eef24b39e3ae7238d8afa61457c418d242cadb9505ba09a7b50cfac55cf5fa4855c7bdb2cad

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3276	explorer.exe
1300	explorer.exe
656	spoolsv.exe
3220	spoolsv.exe
1116	spoolsv.exe
1452	spoolsv.exe
2564	spoolsv.exe
1096	spoolsv.exe
920	spoolsv.exe
2748	spoolsv.exe
3164	spoolsv.exe
2496	spoolsv.exe
3788	spoolsv.exe
3768	spoolsv.exe
2308	spoolsv.exe
2228	spoolsv.exe
432	spoolsv.exe
1760	spoolsv.exe
1824	spoolsv.exe
3564	spoolsv.exe
1604	spoolsv.exe
3592	spoolsv.exe
2332	spoolsv.exe
1844	spoolsv.exe
3456	spoolsv.exe
64	spoolsv.exe
1632	spoolsv.exe
2144	spoolsv.exe
2336	spoolsv.exe
3856	spoolsv.exe
1444	spoolsv.exe
2580	spoolsv.exe
988	spoolsv.exe
2384	spoolsv.exe
2280	spoolsv.exe
2208	spoolsv.exe
3700	spoolsv.exe
3576	spoolsv.exe
3952	spoolsv.exe
1588	spoolsv.exe
784	spoolsv.exe
1068	spoolsv.exe
3156	spoolsv.exe
3224	spoolsv.exe
1268	spoolsv.exe
524	spoolsv.exe
1212	spoolsv.exe
3276	spoolsv.exe
3844	spoolsv.exe
4104	spoolsv.exe
4128	spoolsv.exe
4152	spoolsv.exe
4192	spoolsv.exe
4216	spoolsv.exe
4240	spoolsv.exe
4276	spoolsv.exe
4300	spoolsv.exe
4324	spoolsv.exe
4364	spoolsv.exe
4388	spoolsv.exe
4412	spoolsv.exe
4432	spoolsv.exe
4452	spoolsv.exe
4480	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeb9e4fdb4_by_Libranalysis.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	b9e4fdb4_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

b9e4fdb4_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 3560 set thread context of 3712	3560	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 3276 set thread context of 1300	3276	explorer.exe	explorer.exe
PID 3276 set thread context of 780	3276	explorer.exe	diskperf.exe
PID 656 set thread context of 6732	656	spoolsv.exe	spoolsv.exe
PID 656 set thread context of 6772	656	spoolsv.exe	diskperf.exe
PID 3220 set thread context of 6844	3220	spoolsv.exe	spoolsv.exe
PID 3220 set thread context of 6872	3220	spoolsv.exe	diskperf.exe
PID 1116 set thread context of 6896	1116	spoolsv.exe	spoolsv.exe
PID 1116 set thread context of 6924	1116	spoolsv.exe	diskperf.exe
PID 1452 set thread context of 6968	1452	spoolsv.exe	spoolsv.exe
PID 1452 set thread context of 6984	1452	spoolsv.exe	diskperf.exe
PID 2564 set thread context of 7028	2564	spoolsv.exe	spoolsv.exe
PID 2564 set thread context of 7060	2564	spoolsv.exe	diskperf.exe
PID 1096 set thread context of 7104	1096	spoolsv.exe	spoolsv.exe
PID 1096 set thread context of 7132	1096	spoolsv.exe	diskperf.exe
PID 920 set thread context of 7140	920	spoolsv.exe	spoolsv.exe
PID 920 set thread context of 3444	920	spoolsv.exe	diskperf.exe
PID 2748 set thread context of 6820	2748	spoolsv.exe	spoolsv.exe
PID 3164 set thread context of 3848	3164	spoolsv.exe	spoolsv.exe
PID 2748 set thread context of 6888	2748	spoolsv.exe	diskperf.exe
PID 3164 set thread context of 6940	3164	spoolsv.exe	diskperf.exe
PID 2496 set thread context of 6948	2496	spoolsv.exe	spoolsv.exe
PID 2496 set thread context of 6900	2496	spoolsv.exe	diskperf.exe
PID 3788 set thread context of 1960	3788	spoolsv.exe	spoolsv.exe
PID 3788 set thread context of 7020	3788	spoolsv.exe	diskperf.exe
PID 3768 set thread context of 7084	3768	spoolsv.exe	spoolsv.exe
PID 3768 set thread context of 7040	3768	spoolsv.exe	diskperf.exe
PID 2308 set thread context of 7100	2308	spoolsv.exe	diskperf.exe
PID 2228 set thread context of 1160	2228	spoolsv.exe	spoolsv.exe
PID 432 set thread context of 6796	432	spoolsv.exe	spoolsv.exe
PID 432 set thread context of 7144	432	spoolsv.exe	diskperf.exe
PID 1760 set thread context of 3168	1760	spoolsv.exe	svchost.exe
PID 1760 set thread context of 6868	1760	spoolsv.exe	diskperf.exe
PID 1824 set thread context of 1816	1824	spoolsv.exe	spoolsv.exe
PID 1824 set thread context of 7088	1824	spoolsv.exe	diskperf.exe
PID 3564 set thread context of 2312	3564	spoolsv.exe	spoolsv.exe
PID 3564 set thread context of 7092	3564	spoolsv.exe	diskperf.exe
PID 1604 set thread context of 7164	1604	spoolsv.exe	spoolsv.exe
PID 1604 set thread context of 7100	1604	spoolsv.exe	diskperf.exe
PID 3592 set thread context of 3608	3592	spoolsv.exe	spoolsv.exe
PID 3592 set thread context of 3840	3592	spoolsv.exe	diskperf.exe
PID 2332 set thread context of 4404	2332	spoolsv.exe	spoolsv.exe
PID 2332 set thread context of 1728	2332	spoolsv.exe	diskperf.exe
PID 1844 set thread context of 4444	1844	spoolsv.exe	spoolsv.exe
PID 3456 set thread context of 2312	3456	spoolsv.exe	spoolsv.exe
PID 64 set thread context of 3712	64	spoolsv.exe	spoolsv.exe
PID 1632 set thread context of 4524	1632	spoolsv.exe	spoolsv.exe
PID 1632 set thread context of 2936	1632	spoolsv.exe	diskperf.exe
PID 2144 set thread context of 2032	2144	spoolsv.exe	spoolsv.exe
PID 2144 set thread context of 6908	2144	spoolsv.exe	diskperf.exe
PID 2336 set thread context of 4448	2336	spoolsv.exe	svchost.exe
PID 2336 set thread context of 6936	2336	spoolsv.exe	diskperf.exe
PID 3856 set thread context of 4492	3856	spoolsv.exe	spoolsv.exe
PID 3856 set thread context of 7008	3856	spoolsv.exe	diskperf.exe
PID 1444 set thread context of 3688	1444	spoolsv.exe	spoolsv.exe
PID 1444 set thread context of 4512	1444	spoolsv.exe	diskperf.exe
PID 2580 set thread context of 3608	2580	spoolsv.exe	spoolsv.exe
PID 2580 set thread context of 508	2580	spoolsv.exe	diskperf.exe
PID 988 set thread context of 1108	988	spoolsv.exe	spoolsv.exe
PID 988 set thread context of 3600	988	spoolsv.exe	diskperf.exe
PID 2384 set thread context of 3948	2384	spoolsv.exe	spoolsv.exe
PID 2384 set thread context of 600	2384	spoolsv.exe	diskperf.exe
PID 2280 set thread context of 2736	2280	spoolsv.exe	spoolsv.exe
PID 2280 set thread context of 3172	2280	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

b9e4fdb4_by_Libranalysis.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	b9e4fdb4_by_Libranalysis.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b9e4fdb4_by_Libranalysis.exeexplorer.exe

pid	process
3712	b9e4fdb4_by_Libranalysis.exe
3712	b9e4fdb4_by_Libranalysis.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1300 explorer.exe

pid	process
1300	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

b9e4fdb4_by_Libranalysis.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exediskperf.exespoolsv.exespoolsv.exesvchost.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exespoolsv.exe

pid	process
3712	b9e4fdb4_by_Libranalysis.exe
3712	b9e4fdb4_by_Libranalysis.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
6732	spoolsv.exe
6732	spoolsv.exe
6844	spoolsv.exe
6844	spoolsv.exe
6896	spoolsv.exe
6896	spoolsv.exe
6968	spoolsv.exe
6968	spoolsv.exe
7028	spoolsv.exe
7028	spoolsv.exe
7104	spoolsv.exe
7104	spoolsv.exe
7140	spoolsv.exe
7140	spoolsv.exe
6820	spoolsv.exe
6820	spoolsv.exe
3848	spoolsv.exe
3848	spoolsv.exe
6948	spoolsv.exe
6948	spoolsv.exe
1960	spoolsv.exe
1960	spoolsv.exe
7084	spoolsv.exe
7084	spoolsv.exe
7100	diskperf.exe
7100	diskperf.exe
1160	spoolsv.exe
1160	spoolsv.exe
6796	spoolsv.exe
6796	spoolsv.exe
3168	svchost.exe
3168	svchost.exe
1816	spoolsv.exe
1816	spoolsv.exe
2312	spoolsv.exe
2312	spoolsv.exe
7164	spoolsv.exe
7164	spoolsv.exe
3608	spoolsv.exe
3608	spoolsv.exe
4404	spoolsv.exe
4404	spoolsv.exe
4444	spoolsv.exe
4444	spoolsv.exe
2312	spoolsv.exe
2312	spoolsv.exe
3712	spoolsv.exe
3712	spoolsv.exe
4524	spoolsv.exe
4524	spoolsv.exe
2032	spoolsv.exe
2032	spoolsv.exe
4448	svchost.exe
4448	svchost.exe
4492	spoolsv.exe
4492	spoolsv.exe
3688	spoolsv.exe
3688	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b9e4fdb4_by_Libranalysis.exeb9e4fdb4_by_Libranalysis.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3560 wrote to memory of 3712	3560	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 3560 wrote to memory of 3712	3560	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 3560 wrote to memory of 3712	3560	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 3560 wrote to memory of 3712	3560	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 3560 wrote to memory of 3712	3560	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 3560 wrote to memory of 3712	3560	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 3560 wrote to memory of 3712	3560	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 3560 wrote to memory of 3712	3560	b9e4fdb4_by_Libranalysis.exe	b9e4fdb4_by_Libranalysis.exe
PID 3560 wrote to memory of 3564	3560	b9e4fdb4_by_Libranalysis.exe	diskperf.exe
PID 3560 wrote to memory of 3564	3560	b9e4fdb4_by_Libranalysis.exe	diskperf.exe
PID 3560 wrote to memory of 3564	3560	b9e4fdb4_by_Libranalysis.exe	diskperf.exe
PID 3712 wrote to memory of 3276	3712	b9e4fdb4_by_Libranalysis.exe	explorer.exe
PID 3712 wrote to memory of 3276	3712	b9e4fdb4_by_Libranalysis.exe	explorer.exe
PID 3712 wrote to memory of 3276	3712	b9e4fdb4_by_Libranalysis.exe	explorer.exe
PID 3276 wrote to memory of 1300	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 1300	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 1300	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 1300	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 1300	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 1300	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 1300	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 1300	3276	explorer.exe	explorer.exe
PID 3276 wrote to memory of 780	3276	explorer.exe	diskperf.exe
PID 3276 wrote to memory of 780	3276	explorer.exe	diskperf.exe
PID 3276 wrote to memory of 780	3276	explorer.exe	diskperf.exe
PID 3276 wrote to memory of 780	3276	explorer.exe	diskperf.exe
PID 3276 wrote to memory of 780	3276	explorer.exe	diskperf.exe
PID 1300 wrote to memory of 656	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 656	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 656	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 3220	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 3220	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 3220	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 1116	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 1116	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 1116	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 1452	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 1452	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 1452	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 2564	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 2564	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 2564	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 1096	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 1096	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 1096	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 920	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 920	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 920	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 2748	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 2748	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 2748	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 3164	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 3164	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 3164	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 2496	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 2496	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 2496	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 3788	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 3788	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 3788	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 3768	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 3768	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 3768	1300	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 2308	1300	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\b9e4fdb4_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\b9e4fdb4_by_Libranalysis.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Users\Admin\AppData\Local\Temp\b9e4fdb4_by_Libranalysis.exe
  "C:\Users\Admin\AppData\Local\Temp\b9e4fdb4_by_Libranalysis.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3712
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:656
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:6732
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6832
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3220
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6844
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1116
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6896
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1452
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6968
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7044
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2564
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7028
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1096
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7104
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6740
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:920
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7140
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2748
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6820
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3164
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3848
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2496
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6948
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6996
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3788
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1960
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3768
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7084
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6980
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2308
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7100
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2228
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6788
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:432
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6796
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2768
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1760
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3168
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2376
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1824
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1816
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2152
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3564
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2312
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1604
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7164
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7160
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3592
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3608
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6864
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2332
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4404
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3168
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1844
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4444
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3456
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2312
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4460
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:64
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3712
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4504
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1632
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4524
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6744
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2144
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2032
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4012
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2336
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4448
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4608
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3856
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4492
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3992
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1444
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3688
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4672
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2580
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3608
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2232
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:988
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1108
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4732
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2384
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3948
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1908
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2280
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2736
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4448
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2208
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2884
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1528
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3700
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4684
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4848
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3576
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3996
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4876
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3952
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1820
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1860
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1588
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1696
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2276
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:784
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4592
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:752
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1068
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2312
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5004
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3156
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4684
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4880
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3224
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5056
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4892
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1268
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3964
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5104
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:524
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4940
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4136
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1212
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4960
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3692
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3276
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4988
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2284
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3844
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4860
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4352
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4104
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5072
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5132
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4128
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1820
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2788
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4152
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1296
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4016
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4192
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4204
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2884
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4216
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5228
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2396
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4240
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4120
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1532
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4276
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5144
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5160
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4300
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5320
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1296
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4324
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5372
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5212
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4364
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5404
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5240
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4388
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4260
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4120
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4412
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5468
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4432
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4144
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4304
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4452
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5352
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4480
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4328
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4268
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4496
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4108
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4516
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5560
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4532
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5464
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4548
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5432
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4564
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5480
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4580
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4596
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5656
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4340
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4612
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6808
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:780
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:3564

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:5608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
b9e4fdb4f1d1e50fb2b1bc6f8e648e91

SHA1
afe3e9370a5fb240ae917a9089fc07b6a54a7bd6

SHA256
33be12e4978d894da637959e06d3d125923816ccdf52c644b5ebf24ab8ea06d5

SHA512
ff4f45aca5c634e0e64623c8dd1e5521b502713166c5cc01699d3eef24b39e3ae7238d8afa61457c418d242cadb9505ba09a7b50cfac55cf5fa4855c7bdb2cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
2a5b1dc3c68164af55e12bca86f07cb2

SHA1
79c77fcdc3cefa62c7a72ed897522c83b84dd617

SHA256
778dba2ca97776e04165ca86dcfd9fb50f7b508684d6e4dd83cbf43de9618f8e

SHA512
3f04d34545e3e10de0a9ac3be1dfce5f3a8832780b73815827f36f816560a8bec22fefc9703baae31cb752e833a3ef18e58dd45e72bc15fa8bf67cb4255a23b7

Download Submit
C:\Windows\System\explorer.exe

MD5
2a5b1dc3c68164af55e12bca86f07cb2

SHA1
79c77fcdc3cefa62c7a72ed897522c83b84dd617

SHA256
778dba2ca97776e04165ca86dcfd9fb50f7b508684d6e4dd83cbf43de9618f8e

SHA512
3f04d34545e3e10de0a9ac3be1dfce5f3a8832780b73815827f36f816560a8bec22fefc9703baae31cb752e833a3ef18e58dd45e72bc15fa8bf67cb4255a23b7

Download Submit
C:\Windows\System\explorer.exe

MD5
2a5b1dc3c68164af55e12bca86f07cb2

SHA1
79c77fcdc3cefa62c7a72ed897522c83b84dd617

SHA256
778dba2ca97776e04165ca86dcfd9fb50f7b508684d6e4dd83cbf43de9618f8e

SHA512
3f04d34545e3e10de0a9ac3be1dfce5f3a8832780b73815827f36f816560a8bec22fefc9703baae31cb752e833a3ef18e58dd45e72bc15fa8bf67cb4255a23b7

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
C:\Windows\System\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
\??\c:\windows\system\explorer.exe

MD5
2a5b1dc3c68164af55e12bca86f07cb2

SHA1
79c77fcdc3cefa62c7a72ed897522c83b84dd617

SHA256
778dba2ca97776e04165ca86dcfd9fb50f7b508684d6e4dd83cbf43de9618f8e

SHA512
3f04d34545e3e10de0a9ac3be1dfce5f3a8832780b73815827f36f816560a8bec22fefc9703baae31cb752e833a3ef18e58dd45e72bc15fa8bf67cb4255a23b7

Download Submit
\??\c:\windows\system\spoolsv.exe

MD5
55b174d0ba13b3ea275db51c048baf27

SHA1
d946dffd2f9abf4e93ebab75c66a059b6e09c313

SHA256
56a636e6ccba609f1aa5045197f15453f2640b892ac3b3e60c07dc048550d564

SHA512
b672297b71f5d0494307888eccf9c851afab609fc5743253a5b64ce510e14799f22afdcf556d0c6122aebc719be8b3d6408742d5a2c43155f779fae74ef6af88

Download Submit
memory/64-213-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/64-208-0x0000000000000000-mapping.dmp

Download
memory/432-182-0x0000000000000000-mapping.dmp

Download
memory/432-190-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/524-269-0x0000000000000000-mapping.dmp

Download
memory/656-146-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/656-139-0x0000000000000000-mapping.dmp

Download
memory/780-131-0x0000000000411000-mapping.dmp

Download
memory/780-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/780-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/784-252-0x0000000000000000-mapping.dmp

Download
memory/784-256-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/920-158-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/920-155-0x0000000000000000-mapping.dmp

Download
memory/988-234-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/988-229-0x0000000000000000-mapping.dmp

Download
memory/1068-257-0x0000000000000000-mapping.dmp

Download
memory/1068-263-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/1096-153-0x0000000000000000-mapping.dmp

Download
memory/1096-160-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1116-144-0x0000000000000000-mapping.dmp

Download
memory/1116-148-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/1212-276-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1212-271-0x0000000000000000-mapping.dmp

Download
memory/1268-264-0x0000000000000000-mapping.dmp

Download
memory/1268-268-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/1300-126-0x0000000000403670-mapping.dmp

Download
memory/1444-221-0x0000000000000000-mapping.dmp

Download
memory/1444-224-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1452-149-0x0000000000000000-mapping.dmp

Download
memory/1452-157-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1588-250-0x0000000000000000-mapping.dmp

Download
memory/1588-255-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1604-202-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1604-194-0x0000000000000000-mapping.dmp

Download
memory/1632-210-0x0000000000000000-mapping.dmp

Download
memory/1632-214-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1760-184-0x0000000000000000-mapping.dmp

Download
memory/1760-191-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1824-186-0x0000000000000000-mapping.dmp

Download
memory/1844-203-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/1844-200-0x0000000000000000-mapping.dmp

Download
memory/2144-223-0x0000000000570000-0x000000000061E000-memory.dmp

Filesize
696KB

Download
memory/2144-215-0x0000000000000000-mapping.dmp

Download
memory/2208-238-0x0000000000000000-mapping.dmp

Download
memory/2208-246-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2228-181-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2228-176-0x0000000000000000-mapping.dmp

Download
memory/2280-244-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2280-236-0x0000000000000000-mapping.dmp

Download
memory/2308-180-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2308-174-0x0000000000000000-mapping.dmp

Download
memory/2332-205-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2332-198-0x0000000000000000-mapping.dmp

Download
memory/2336-217-0x0000000000000000-mapping.dmp

Download
memory/2336-225-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2384-231-0x0000000000000000-mapping.dmp

Download
memory/2384-235-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2496-165-0x0000000000000000-mapping.dmp

Download
memory/2496-169-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2564-151-0x0000000000000000-mapping.dmp

Download
memory/2580-233-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2580-227-0x0000000000000000-mapping.dmp

Download
memory/2748-167-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2748-161-0x0000000000000000-mapping.dmp

Download
memory/3156-259-0x0000000000000000-mapping.dmp

Download
memory/3156-265-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3164-163-0x0000000000000000-mapping.dmp

Download
memory/3220-142-0x0000000000000000-mapping.dmp

Download
memory/3220-147-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3224-261-0x0000000000000000-mapping.dmp

Download
memory/3224-266-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3276-121-0x0000000000000000-mapping.dmp

Download
memory/3276-124-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/3276-277-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3276-273-0x0000000000000000-mapping.dmp

Download
memory/3456-212-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3456-206-0x0000000000000000-mapping.dmp

Download
memory/3560-114-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/3564-188-0x0000000000000000-mapping.dmp

Download
memory/3564-192-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3576-242-0x0000000000000000-mapping.dmp

Download
memory/3576-245-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3592-204-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/3592-196-0x0000000000000000-mapping.dmp

Download
memory/3700-240-0x0000000000000000-mapping.dmp

Download
memory/3700-247-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3712-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3712-116-0x0000000000403670-mapping.dmp

Download
memory/3712-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3768-179-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3768-172-0x0000000000000000-mapping.dmp

Download
memory/3788-170-0x0000000000000000-mapping.dmp

Download
memory/3844-286-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3844-278-0x0000000000000000-mapping.dmp

Download
memory/3856-226-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3856-219-0x0000000000000000-mapping.dmp

Download
memory/3952-254-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3952-248-0x0000000000000000-mapping.dmp

Download
memory/4104-288-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4104-280-0x0000000000000000-mapping.dmp

Download
memory/4128-282-0x0000000000000000-mapping.dmp

Download
memory/4128-289-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/4152-284-0x0000000000000000-mapping.dmp

Download
memory/4152-287-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4192-290-0x0000000000000000-mapping.dmp

Download
memory/4192-296-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4216-292-0x0000000000000000-mapping.dmp

Download
memory/4216-298-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/4240-294-0x0000000000000000-mapping.dmp

Download
memory/4240-297-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4276-305-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4276-299-0x0000000000000000-mapping.dmp

Download
memory/4300-301-0x0000000000000000-mapping.dmp

Download
memory/4300-306-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4324-307-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4324-303-0x0000000000000000-mapping.dmp

Download
memory/4364-308-0x0000000000000000-mapping.dmp

Download
memory/4364-314-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/4388-310-0x0000000000000000-mapping.dmp

Download
memory/4388-315-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4412-312-0x0000000000000000-mapping.dmp

Download
memory/4432-313-0x0000000000000000-mapping.dmp

Download