warzonerat | adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052

Analysis

max time kernel
151s
max time network
111s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
Size

1.8MB
MD5

c2c72d0ce1e2b4aa824b3b11209e20c6
SHA1

535479e17340b248724de24bfd385c5739bbcac0
SHA256

adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052
SHA512

a64a7b2c9092501e32b7bcdbc779c178a33af187639e34b14dd3e9c60a5e60929c049ed41614c5d63673b9c584803f459921d54d026bbbe2f76a8d9884744a04

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2352	explorer.exe
3092	explorer.exe
3956	spoolsv.exe
3556	spoolsv.exe
3904	spoolsv.exe
1108	spoolsv.exe
1436	spoolsv.exe
2060	spoolsv.exe
3964	spoolsv.exe
3968	spoolsv.exe
2824	spoolsv.exe
1776	spoolsv.exe
1576	spoolsv.exe
3996	spoolsv.exe
3880	spoolsv.exe
3868	spoolsv.exe
2100	spoolsv.exe
1464	spoolsv.exe
3440	spoolsv.exe
1844	spoolsv.exe
1728	spoolsv.exe
1548	spoolsv.exe
932	spoolsv.exe
2744	spoolsv.exe
1228	spoolsv.exe
412	spoolsv.exe
772	spoolsv.exe
2772	spoolsv.exe
2720	spoolsv.exe
1940	spoolsv.exe
2764	spoolsv.exe
3808	spoolsv.exe
1832	spoolsv.exe
2016	spoolsv.exe
1656	spoolsv.exe
3908	spoolsv.exe
3640	spoolsv.exe
8	spoolsv.exe
208	spoolsv.exe
2004	spoolsv.exe
988	spoolsv.exe
1648	spoolsv.exe
1472	spoolsv.exe
2144	spoolsv.exe
3524	spoolsv.exe
3624	spoolsv.exe
3332	spoolsv.exe
2320	spoolsv.exe
3532	spoolsv.exe
2740	spoolsv.exe
2244	spoolsv.exe
2932	spoolsv.exe
4104	spoolsv.exe
4128	spoolsv.exe
4152	spoolsv.exe
4192	spoolsv.exe
4216	spoolsv.exe
4240	spoolsv.exe
4280	spoolsv.exe
4304	spoolsv.exe
4328	spoolsv.exe
4348	spoolsv.exe
4364	spoolsv.exe
4388	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeadff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 3952 set thread context of 1236	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
PID 3952 set thread context of 188	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	diskperf.exe
PID 2352 set thread context of 3092	2352	explorer.exe	explorer.exe
PID 2352 set thread context of 3768	2352	explorer.exe	diskperf.exe
PID 3956 set thread context of 6540	3956	spoolsv.exe	spoolsv.exe
PID 3956 set thread context of 6564	3956	spoolsv.exe	diskperf.exe
PID 3556 set thread context of 6656	3556	spoolsv.exe	spoolsv.exe
PID 3556 set thread context of 6672	3556	spoolsv.exe	diskperf.exe
PID 3904 set thread context of 6684	3904	spoolsv.exe	spoolsv.exe
PID 3904 set thread context of 6724	3904	spoolsv.exe	diskperf.exe
PID 1108 set thread context of 6780	1108	spoolsv.exe	spoolsv.exe
PID 1108 set thread context of 6816	1108	spoolsv.exe	diskperf.exe
PID 1436 set thread context of 6828	1436	spoolsv.exe	spoolsv.exe
PID 1436 set thread context of 6872	1436	spoolsv.exe	diskperf.exe
PID 2060 set thread context of 6896	2060	spoolsv.exe	spoolsv.exe
PID 2060 set thread context of 6928	2060	spoolsv.exe	diskperf.exe
PID 3964 set thread context of 6964	3964	spoolsv.exe	spoolsv.exe
PID 3968 set thread context of 6980	3968	spoolsv.exe	spoolsv.exe
PID 2824 set thread context of 7000	2824	spoolsv.exe	spoolsv.exe
PID 3964 set thread context of 7016	3964	spoolsv.exe	diskperf.exe
PID 2824 set thread context of 7076	2824	spoolsv.exe	diskperf.exe
PID 1776 set thread context of 7096	1776	spoolsv.exe	spoolsv.exe
PID 1776 set thread context of 7108	1776	spoolsv.exe	diskperf.exe
PID 1576 set thread context of 7128	1576	spoolsv.exe	spoolsv.exe
PID 1576 set thread context of 7136	1576	spoolsv.exe	diskperf.exe
PID 3996 set thread context of 3104	3996	spoolsv.exe	spoolsv.exe
PID 3996 set thread context of 3644	3996	spoolsv.exe	diskperf.exe
PID 3880 set thread context of 6608	3880	spoolsv.exe	spoolsv.exe
PID 3880 set thread context of 6544	3880	spoolsv.exe	diskperf.exe
PID 3868 set thread context of 6700	3868	spoolsv.exe	spoolsv.exe
PID 3868 set thread context of 3788	3868	spoolsv.exe	diskperf.exe
PID 2100 set thread context of 6732	2100	spoolsv.exe	diskperf.exe
PID 2100 set thread context of 6788	2100	spoolsv.exe	diskperf.exe
PID 1464 set thread context of 6844	1464	spoolsv.exe	spoolsv.exe
PID 1464 set thread context of 6868	1464	spoolsv.exe	diskperf.exe
PID 3440 set thread context of 6812	3440	spoolsv.exe	svchost.exe
PID 3440 set thread context of 6944	3440	spoolsv.exe	diskperf.exe
PID 1844 set thread context of 6992	1844	spoolsv.exe	spoolsv.exe
PID 1844 set thread context of 6936	1844	spoolsv.exe	diskperf.exe
PID 1728 set thread context of 3728	1728	spoolsv.exe	spoolsv.exe
PID 1548 set thread context of 7008	1548	spoolsv.exe	spoolsv.exe
PID 1548 set thread context of 7104	1548	spoolsv.exe	diskperf.exe
PID 932 set thread context of 7132	932	spoolsv.exe	spoolsv.exe
PID 2744 set thread context of 800	2744	spoolsv.exe	spoolsv.exe
PID 1228 set thread context of 2196	1228	spoolsv.exe	spoolsv.exe
PID 1228 set thread context of 6760	1228	spoolsv.exe	diskperf.exe
PID 412 set thread context of 1388	412	spoolsv.exe	svchost.exe
PID 412 set thread context of 6732	412	spoolsv.exe	diskperf.exe
PID 772 set thread context of 4020	772	spoolsv.exe	spoolsv.exe
PID 772 set thread context of 4376	772	spoolsv.exe	diskperf.exe
PID 2772 set thread context of 1616	2772	spoolsv.exe	spoolsv.exe
PID 2772 set thread context of 4428	2772	spoolsv.exe	diskperf.exe
PID 2720 set thread context of 4444	2720	spoolsv.exe	spoolsv.exe
PID 2720 set thread context of 7060	2720	spoolsv.exe	diskperf.exe
PID 1940 set thread context of 4464	1940	spoolsv.exe	spoolsv.exe
PID 1940 set thread context of 4460	1940	spoolsv.exe	diskperf.exe
PID 2764 set thread context of 4492	2764	spoolsv.exe	spoolsv.exe
PID 2764 set thread context of 4508	2764	spoolsv.exe	diskperf.exe
PID 3808 set thread context of 2376	3808	spoolsv.exe	spoolsv.exe
PID 3808 set thread context of 2316	3808	spoolsv.exe	diskperf.exe
PID 1832 set thread context of 3944	1832	spoolsv.exe	spoolsv.exe
PID 1832 set thread context of 3924	1832	spoolsv.exe	diskperf.exe
PID 2016 set thread context of 2484	2016	spoolsv.exe	spoolsv.exe
PID 2016 set thread context of 4588	2016	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exeexplorer.exe

pid	process
1236	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
1236	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3092 explorer.exe

pid	process
3092	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exediskperf.exespoolsv.exesvchost.exesvchost.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1236	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
1236	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
3092	explorer.exe
6540	spoolsv.exe
6540	spoolsv.exe
6656	spoolsv.exe
6684	spoolsv.exe
6656	spoolsv.exe
6684	spoolsv.exe
6780	spoolsv.exe
6780	spoolsv.exe
6828	spoolsv.exe
6828	spoolsv.exe
6896	spoolsv.exe
6896	spoolsv.exe
6964	spoolsv.exe
6980	spoolsv.exe
7000	spoolsv.exe
7000	spoolsv.exe
6980	spoolsv.exe
6964	spoolsv.exe
7096	spoolsv.exe
7096	spoolsv.exe
7128	spoolsv.exe
7128	spoolsv.exe
3104	spoolsv.exe
3104	spoolsv.exe
6608	spoolsv.exe
6608	spoolsv.exe
6700	spoolsv.exe
6700	spoolsv.exe
6732	diskperf.exe
6732	diskperf.exe
6844	spoolsv.exe
6844	spoolsv.exe
6812	svchost.exe
6812	svchost.exe
6992	svchost.exe
6992	svchost.exe
3728	spoolsv.exe
3728	spoolsv.exe
7008	spoolsv.exe
7008	spoolsv.exe
7132	spoolsv.exe
7132	spoolsv.exe
800	spoolsv.exe
800	spoolsv.exe
2196	spoolsv.exe
2196	spoolsv.exe
1388	svchost.exe
1388	svchost.exe
4020	spoolsv.exe
4020	spoolsv.exe
1616	spoolsv.exe
1616	spoolsv.exe
4444	spoolsv.exe
4444	spoolsv.exe
4464	spoolsv.exe
4464	spoolsv.exe
4492	spoolsv.exe
4492	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exeadff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3952 wrote to memory of 1236	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
PID 3952 wrote to memory of 1236	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
PID 3952 wrote to memory of 1236	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
PID 3952 wrote to memory of 1236	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
PID 3952 wrote to memory of 1236	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
PID 3952 wrote to memory of 1236	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
PID 3952 wrote to memory of 1236	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
PID 3952 wrote to memory of 1236	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
PID 3952 wrote to memory of 188	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	diskperf.exe
PID 3952 wrote to memory of 188	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	diskperf.exe
PID 3952 wrote to memory of 188	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	diskperf.exe
PID 3952 wrote to memory of 188	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	diskperf.exe
PID 3952 wrote to memory of 188	3952	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	diskperf.exe
PID 1236 wrote to memory of 2352	1236	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	explorer.exe
PID 1236 wrote to memory of 2352	1236	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	explorer.exe
PID 1236 wrote to memory of 2352	1236	adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe	explorer.exe
PID 2352 wrote to memory of 3092	2352	explorer.exe	explorer.exe
PID 2352 wrote to memory of 3092	2352	explorer.exe	explorer.exe
PID 2352 wrote to memory of 3092	2352	explorer.exe	explorer.exe
PID 2352 wrote to memory of 3092	2352	explorer.exe	explorer.exe
PID 2352 wrote to memory of 3092	2352	explorer.exe	explorer.exe
PID 2352 wrote to memory of 3092	2352	explorer.exe	explorer.exe
PID 2352 wrote to memory of 3092	2352	explorer.exe	explorer.exe
PID 2352 wrote to memory of 3092	2352	explorer.exe	explorer.exe
PID 2352 wrote to memory of 3768	2352	explorer.exe	diskperf.exe
PID 2352 wrote to memory of 3768	2352	explorer.exe	diskperf.exe
PID 2352 wrote to memory of 3768	2352	explorer.exe	diskperf.exe
PID 2352 wrote to memory of 3768	2352	explorer.exe	diskperf.exe
PID 2352 wrote to memory of 3768	2352	explorer.exe	diskperf.exe
PID 3092 wrote to memory of 3956	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3956	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3956	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3556	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3556	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3556	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3904	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3904	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3904	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 1108	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 1108	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 1108	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 1436	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 1436	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 1436	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 2060	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 2060	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 2060	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3964	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3964	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3964	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3968	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3968	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3968	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 2824	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 2824	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 2824	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 1776	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 1776	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 1776	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 1576	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 1576	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 1576	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3996	3092	explorer.exe	spoolsv.exe
PID 3092 wrote to memory of 3996	3092	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
"C:\Users\Admin\AppData\Local\Temp\adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe
  "C:\Users\Admin\AppData\Local\Temp\adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1236
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3956
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:6540
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6616
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3556
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6656
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6772
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3904
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6684
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1108
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6780
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1436
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6828
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2060
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6896
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3964
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7016
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3968
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6980
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2824
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7000
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1776
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7096
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1576
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7128
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7156
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3996
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3644
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3104
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3880
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6608
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6560
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3868
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6700
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6744
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2100
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6732
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:484
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1464
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6844
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6908
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3440
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6812
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6956
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1844
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6936
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1728
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3728
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6984
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1548
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7008
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:932
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7132
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:496
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2744
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:800
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6580
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1228
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3024
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:412
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1388
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3548
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:772
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4020
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6812
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2772
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6992
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2720
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4444
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1152
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1940
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4464
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3940
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2764
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4492
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6680
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3808
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2376
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2088
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1832
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3944
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1388
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2016
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2484
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1772
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1656
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1304
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3652
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3908
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4624
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4432
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3640
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3256
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3728
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:8
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1240
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3864
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:208
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2164
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4732
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2004
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1544
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4768
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:988
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3680
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2532
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1648
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2556
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4828
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1472
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4848
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3488
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2144
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2968
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1128
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3524
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4448
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4944
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3624
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1240
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3696
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3332
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2288
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1544
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2320
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:628
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3944
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3532
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2784
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2556
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2740
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:804
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2064
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2244
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1252
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4116
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2932
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2560
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3144
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4104
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1240
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2376
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4128
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2980
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1768
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4152
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2808
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4812
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4192
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5172
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:68
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4216
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4896
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1252
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4240
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5236
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2560
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4280
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4124
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4296
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4304
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1296
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5304
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4328
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5156
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4196
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4348
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1112
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4220
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4364
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:68
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4388
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5404
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4112
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4404
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4908
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4420
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4124
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4436
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4324
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1296
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4452
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5172
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4468
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5156
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5536
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4484
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5372
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4500
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4160
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6600
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:3768
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:188

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
c2c72d0ce1e2b4aa824b3b11209e20c6

SHA1
535479e17340b248724de24bfd385c5739bbcac0

SHA256
adff9b172f90f6ec4181ab6e64a7baf864adbc954947649f77739b939ae8f052

SHA512
a64a7b2c9092501e32b7bcdbc779c178a33af187639e34b14dd3e9c60a5e60929c049ed41614c5d63673b9c584803f459921d54d026bbbe2f76a8d9884744a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
174bed935f2c8f6dc860d3f8530a044a

SHA1
f7de2ead66b78ae1563baa77f7e8a75ec4af89c7

SHA256
ada31a47218206a2e0cac2313488e56a9218a01165347a701b4f7b9b76d31b9d

SHA512
19f9de53af52ad73c7700a1c2e82ec8ef7cdedba088f0ea12821624bcbe95dab85799fca0b49761cb4cc94d3a194741cdfd582a0c7ce3cf70df4d5370ade5de6

Download Submit
C:\Windows\System\explorer.exe

MD5
174bed935f2c8f6dc860d3f8530a044a

SHA1
f7de2ead66b78ae1563baa77f7e8a75ec4af89c7

SHA256
ada31a47218206a2e0cac2313488e56a9218a01165347a701b4f7b9b76d31b9d

SHA512
19f9de53af52ad73c7700a1c2e82ec8ef7cdedba088f0ea12821624bcbe95dab85799fca0b49761cb4cc94d3a194741cdfd582a0c7ce3cf70df4d5370ade5de6

Download Submit
C:\Windows\System\explorer.exe

MD5
174bed935f2c8f6dc860d3f8530a044a

SHA1
f7de2ead66b78ae1563baa77f7e8a75ec4af89c7

SHA256
ada31a47218206a2e0cac2313488e56a9218a01165347a701b4f7b9b76d31b9d

SHA512
19f9de53af52ad73c7700a1c2e82ec8ef7cdedba088f0ea12821624bcbe95dab85799fca0b49761cb4cc94d3a194741cdfd582a0c7ce3cf70df4d5370ade5de6

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
\??\c:\windows\system\explorer.exe

MD5
174bed935f2c8f6dc860d3f8530a044a

SHA1
f7de2ead66b78ae1563baa77f7e8a75ec4af89c7

SHA256
ada31a47218206a2e0cac2313488e56a9218a01165347a701b4f7b9b76d31b9d

SHA512
19f9de53af52ad73c7700a1c2e82ec8ef7cdedba088f0ea12821624bcbe95dab85799fca0b49761cb4cc94d3a194741cdfd582a0c7ce3cf70df4d5370ade5de6

Download Submit
\??\c:\windows\system\spoolsv.exe

MD5
f39d81ddd5beae3e7a5e012d67131b0d

SHA1
c03ca1d59350e6778b3246f75e82a23f69fc4202

SHA256
cb742f58e753a730a48d7809819edb7a301f549bffca7a599b9891ee4bc5864a

SHA512
2d1b31dd6e663e0c226610fb3a7f242ba6306df9a9213c62ebba07d9ea9b3cf0804582d231a4e048d69b1980544e53852f172669a0520692639d8b79fd47e7b5

Download Submit
memory/8-250-0x0000000000000000-mapping.dmp

Download
memory/8-256-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/188-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/188-118-0x0000000000411000-mapping.dmp

Download
memory/188-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/208-252-0x0000000000000000-mapping.dmp

Download
memory/208-258-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/412-217-0x00000000005C0000-0x000000000066E000-memory.dmp

Filesize
696KB

Download
memory/412-212-0x0000000000000000-mapping.dmp

Download
memory/772-219-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/772-215-0x0000000000000000-mapping.dmp

Download
memory/932-201-0x0000000000000000-mapping.dmp

Download
memory/932-204-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/988-257-0x0000000000000000-mapping.dmp

Download
memory/988-267-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1108-152-0x0000000000000000-mapping.dmp

Download
memory/1108-159-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1228-216-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1228-210-0x0000000000000000-mapping.dmp

Download
memory/1236-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1236-116-0x0000000000403670-mapping.dmp

Download
memory/1236-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1436-154-0x0000000000000000-mapping.dmp

Download
memory/1436-157-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1464-188-0x0000000000000000-mapping.dmp

Download
memory/1464-193-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1472-263-0x0000000000000000-mapping.dmp

Download
memory/1472-270-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1548-199-0x0000000000000000-mapping.dmp

Download
memory/1548-207-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1576-174-0x0000000000000000-mapping.dmp

Download
memory/1576-182-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1648-261-0x0000000000000000-mapping.dmp

Download
memory/1648-268-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1656-241-0x0000000000000000-mapping.dmp

Download
memory/1656-247-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1728-206-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1728-197-0x0000000000000000-mapping.dmp

Download
memory/1776-172-0x0000000000000000-mapping.dmp

Download
memory/1776-180-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1832-233-0x0000000000000000-mapping.dmp

Download
memory/1832-240-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1844-195-0x0000000000000000-mapping.dmp

Download
memory/1844-205-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1940-224-0x0000000000000000-mapping.dmp

Download
memory/1940-227-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2004-259-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2004-254-0x0000000000000000-mapping.dmp

Download
memory/2016-238-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2016-235-0x0000000000000000-mapping.dmp

Download
memory/2060-160-0x0000000000000000-mapping.dmp

Download
memory/2100-186-0x0000000000000000-mapping.dmp

Download
memory/2100-192-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2144-265-0x0000000000000000-mapping.dmp

Download
memory/2144-269-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2244-291-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2244-287-0x0000000000000000-mapping.dmp

Download
memory/2320-277-0x0000000000000000-mapping.dmp

Download
memory/2320-280-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2352-129-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/2352-124-0x0000000000000000-mapping.dmp

Download
memory/2720-222-0x0000000000000000-mapping.dmp

Download
memory/2720-228-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2740-285-0x0000000000000000-mapping.dmp

Download
memory/2740-290-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2744-214-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2744-208-0x0000000000000000-mapping.dmp

Download
memory/2764-229-0x0000000000000000-mapping.dmp

Download
memory/2764-237-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2772-220-0x0000000000000000-mapping.dmp

Download
memory/2772-226-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2824-166-0x0000000000000000-mapping.dmp

Download
memory/2824-169-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2932-292-0x0000000000000000-mapping.dmp

Download
memory/2932-300-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3092-131-0x0000000000403670-mapping.dmp

Download
memory/3332-275-0x0000000000000000-mapping.dmp

Download
memory/3332-282-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3440-203-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3440-191-0x0000000000000000-mapping.dmp

Download
memory/3524-279-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3524-271-0x0000000000000000-mapping.dmp

Download
memory/3532-289-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3532-283-0x0000000000000000-mapping.dmp

Download
memory/3556-156-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3556-148-0x0000000000000000-mapping.dmp

Download
memory/3624-273-0x0000000000000000-mapping.dmp

Download
memory/3640-249-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3640-245-0x0000000000000000-mapping.dmp

Download
memory/3768-137-0x0000000000411000-mapping.dmp

Download
memory/3808-239-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3808-231-0x0000000000000000-mapping.dmp

Download
memory/3868-184-0x0000000000000000-mapping.dmp

Download
memory/3868-190-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3880-181-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3880-178-0x0000000000000000-mapping.dmp

Download
memory/3904-158-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3904-150-0x0000000000000000-mapping.dmp

Download
memory/3908-248-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3908-243-0x0000000000000000-mapping.dmp

Download
memory/3952-114-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3956-142-0x0000000000000000-mapping.dmp

Download
memory/3956-147-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3964-170-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3964-162-0x0000000000000000-mapping.dmp

Download
memory/3968-164-0x0000000000000000-mapping.dmp

Download
memory/3968-171-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3996-176-0x0000000000000000-mapping.dmp

Download
memory/3996-183-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4104-302-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4104-294-0x0000000000000000-mapping.dmp

Download
memory/4128-303-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4128-296-0x0000000000000000-mapping.dmp

Download
memory/4152-301-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4152-298-0x0000000000000000-mapping.dmp

Download
memory/4192-310-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4192-304-0x0000000000000000-mapping.dmp

Download
memory/4216-306-0x0000000000000000-mapping.dmp

Download
memory/4240-308-0x0000000000000000-mapping.dmp

Download
memory/4240-312-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4280-313-0x0000000000000000-mapping.dmp

Download
memory/4280-318-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4304-315-0x0000000000000000-mapping.dmp

Download
memory/4328-317-0x0000000000000000-mapping.dmp

Download