warzonerat | 29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
Size

1.8MB
MD5

ca44c4e684beb00dc8085b73edec55c8
SHA1

934b397db56b99409b8c553bce0859231d84ce07
SHA256

29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713
SHA512

0ebf4b939fadecb31a6f01911dccac3d96a62931f8f882d92a218654d0cfcb6de8d7e95ba572a90a4d648258ff5246b5e0f58e05362bec5e472bfe3509d60355

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1884	explorer.exe
2164	explorer.exe
1748	spoolsv.exe
2860	spoolsv.exe
2828	spoolsv.exe
3800	spoolsv.exe
2296	spoolsv.exe
2864	spoolsv.exe
3836	spoolsv.exe
1952	spoolsv.exe
3312	spoolsv.exe
3716	spoolsv.exe
3212	spoolsv.exe
2492	spoolsv.exe
2588	spoolsv.exe
996	spoolsv.exe
3544	spoolsv.exe
2584	spoolsv.exe
3708	spoolsv.exe
3980	spoolsv.exe
4064	spoolsv.exe
420	spoolsv.exe
2668	spoolsv.exe
2996	spoolsv.exe
416	spoolsv.exe
1684	spoolsv.exe
1264	spoolsv.exe
3856	spoolsv.exe
3944	spoolsv.exe
2928	spoolsv.exe
3512	spoolsv.exe
3088	spoolsv.exe
2064	spoolsv.exe
4088	spoolsv.exe
648	spoolsv.exe
396	spoolsv.exe
1116	spoolsv.exe
2884	spoolsv.exe
3356	spoolsv.exe
1244	spoolsv.exe
2624	spoolsv.exe
2508	spoolsv.exe
3788	spoolsv.exe
3552	spoolsv.exe
568	spoolsv.exe
2100	spoolsv.exe
3192	spoolsv.exe
2876	spoolsv.exe
1316	spoolsv.exe
4104	spoolsv.exe
4140	spoolsv.exe
4164	spoolsv.exe
4188	spoolsv.exe
4212	spoolsv.exe
4252	spoolsv.exe
4276	spoolsv.exe
4300	spoolsv.exe
4328	spoolsv.exe
4364	spoolsv.exe
4392	spoolsv.exe
4416	spoolsv.exe
4440	spoolsv.exe
4460	spoolsv.exe
4476	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 59 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1852 set thread context of 3752	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1852 set thread context of 1588	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	diskperf.exe
PID 1884 set thread context of 2164	1884	explorer.exe	explorer.exe
PID 1884 set thread context of 3872	1884	explorer.exe	diskperf.exe
PID 1748 set thread context of 6648	1748	spoolsv.exe	spoolsv.exe
PID 2860 set thread context of 6744	2860	spoolsv.exe	spoolsv.exe
PID 2860 set thread context of 6764	2860	spoolsv.exe	diskperf.exe
PID 2828 set thread context of 6832	2828	spoolsv.exe	spoolsv.exe
PID 2828 set thread context of 6848	2828	spoolsv.exe	diskperf.exe
PID 3800 set thread context of 6892	3800	spoolsv.exe	spoolsv.exe
PID 3800 set thread context of 6924	3800	spoolsv.exe	diskperf.exe
PID 2296 set thread context of 6972	2296	spoolsv.exe	spoolsv.exe
PID 2864 set thread context of 6988	2864	spoolsv.exe	spoolsv.exe
PID 2296 set thread context of 7004	2296	spoolsv.exe	diskperf.exe
PID 2864 set thread context of 7032	2864	spoolsv.exe	diskperf.exe
PID 3836 set thread context of 7124	3836	spoolsv.exe	spoolsv.exe
PID 3836 set thread context of 7140	3836	spoolsv.exe	diskperf.exe
PID 1952 set thread context of 7164	1952	spoolsv.exe	spoolsv.exe
PID 1952 set thread context of 3376	1952	spoolsv.exe	diskperf.exe
PID 3312 set thread context of 6672	3312	spoolsv.exe	spoolsv.exe
PID 3312 set thread context of 6716	3312	spoolsv.exe	diskperf.exe
PID 3716 set thread context of 6780	3716	spoolsv.exe	spoolsv.exe
PID 3716 set thread context of 6756	3716	spoolsv.exe	diskperf.exe
PID 3212 set thread context of 2608	3212	spoolsv.exe	spoolsv.exe
PID 3212 set thread context of 6880	3212	spoolsv.exe	diskperf.exe
PID 2492 set thread context of 6956	2492	spoolsv.exe	spoolsv.exe
PID 2492 set thread context of 6844	2492	spoolsv.exe	diskperf.exe
PID 2588 set thread context of 7016	2588	spoolsv.exe	spoolsv.exe
PID 2588 set thread context of 4156	2588	spoolsv.exe	diskperf.exe
PID 996 set thread context of 2580	996	spoolsv.exe	spoolsv.exe
PID 3544 set thread context of 7000	3544	spoolsv.exe	spoolsv.exe
PID 3544 set thread context of 7148	3544	spoolsv.exe	diskperf.exe
PID 2584 set thread context of 1016	2584	spoolsv.exe	spoolsv.exe
PID 2584 set thread context of 4036	2584	spoolsv.exe	diskperf.exe
PID 3708 set thread context of 2628	3708	spoolsv.exe	spoolsv.exe
PID 3708 set thread context of 2848	3708	spoolsv.exe	diskperf.exe
PID 3980 set thread context of 3852	3980	spoolsv.exe	spoolsv.exe
PID 3980 set thread context of 6940	3980	spoolsv.exe	diskperf.exe
PID 4064 set thread context of 6944	4064	spoolsv.exe	spoolsv.exe
PID 4064 set thread context of 3076	4064	spoolsv.exe	diskperf.exe
PID 420 set thread context of 3556	420	spoolsv.exe	spoolsv.exe
PID 420 set thread context of 2632	420	spoolsv.exe	diskperf.exe
PID 2668 set thread context of 7160	2668	spoolsv.exe	spoolsv.exe
PID 2668 set thread context of 3084	2668	spoolsv.exe	diskperf.exe
PID 2996 set thread context of 804	2996	spoolsv.exe	spoolsv.exe
PID 2996 set thread context of 3416	2996	spoolsv.exe	diskperf.exe
PID 416 set thread context of 6672	416	spoolsv.exe	spoolsv.exe
PID 1684 set thread context of 764	1684	spoolsv.exe	spoolsv.exe
PID 1684 set thread context of 4520	1684	spoolsv.exe	diskperf.exe
PID 1264 set thread context of 2656	1264	spoolsv.exe	spoolsv.exe
PID 1264 set thread context of 6992	1264	spoolsv.exe	diskperf.exe
PID 3856 set thread context of 4584	3856	spoolsv.exe	spoolsv.exe
PID 3856 set thread context of 4612	3856	spoolsv.exe	diskperf.exe
PID 3944 set thread context of 7000	3944	spoolsv.exe	spoolsv.exe
PID 2928 set thread context of 3696	2928	spoolsv.exe	spoolsv.exe
PID 3512 set thread context of 4016	3512	spoolsv.exe	spoolsv.exe
PID 3088 set thread context of 2256	3088	spoolsv.exe	spoolsv.exe
PID 3088 set thread context of 4688	3088	spoolsv.exe	diskperf.exe
PID 2064 set thread context of 2500	2064	spoolsv.exe	spoolsv.exe
PID 4088 set thread context of 4724	4088	spoolsv.exe	spoolsv.exe
PID 4088 set thread context of 4552	4088	spoolsv.exe	diskperf.exe
PID 648 set thread context of 2816	648	spoolsv.exe	spoolsv.exe
PID 648 set thread context of 4604	648	spoolsv.exe	diskperf.exe
PID 396 set thread context of 4788	396	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exe29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exeexplorer.exe

pid	process
3752	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
3752	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2164 explorer.exe

pid	process
2164	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
3752	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
3752	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
2164	explorer.exe
6648	spoolsv.exe
6648	spoolsv.exe
6744	spoolsv.exe
6744	spoolsv.exe
6832	spoolsv.exe
6832	spoolsv.exe
6892	spoolsv.exe
6892	spoolsv.exe
6972	spoolsv.exe
6988	spoolsv.exe
6972	spoolsv.exe
6988	spoolsv.exe
7124	spoolsv.exe
7124	spoolsv.exe
7164	spoolsv.exe
7164	spoolsv.exe
6672	spoolsv.exe
6672	spoolsv.exe
6780	spoolsv.exe
6780	spoolsv.exe
2608	spoolsv.exe
2608	spoolsv.exe
6956	spoolsv.exe
6956	spoolsv.exe
7016	spoolsv.exe
7016	spoolsv.exe
2580	spoolsv.exe
2580	spoolsv.exe
7000	spoolsv.exe
7000	spoolsv.exe
1016	spoolsv.exe
1016	spoolsv.exe
2628	spoolsv.exe
2628	spoolsv.exe
3852	spoolsv.exe
3852	spoolsv.exe
6944	spoolsv.exe
6944	spoolsv.exe
3556	spoolsv.exe
3556	spoolsv.exe
7160	spoolsv.exe
7160	spoolsv.exe
804	spoolsv.exe
804	spoolsv.exe
6672	spoolsv.exe
6672	spoolsv.exe
764	spoolsv.exe
764	spoolsv.exe
2656	spoolsv.exe
2656	spoolsv.exe
4584	spoolsv.exe
4584	spoolsv.exe
7000	spoolsv.exe
7000	spoolsv.exe
3696	spoolsv.exe
3696	spoolsv.exe
4016	spoolsv.exe
4016	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1852 wrote to memory of 3752	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1852 wrote to memory of 3752	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1852 wrote to memory of 3752	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1852 wrote to memory of 3752	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1852 wrote to memory of 3752	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1852 wrote to memory of 3752	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1852 wrote to memory of 3752	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1852 wrote to memory of 3752	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
PID 1852 wrote to memory of 1588	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	diskperf.exe
PID 1852 wrote to memory of 1588	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	diskperf.exe
PID 1852 wrote to memory of 1588	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	diskperf.exe
PID 1852 wrote to memory of 1588	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	diskperf.exe
PID 1852 wrote to memory of 1588	1852	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	diskperf.exe
PID 3752 wrote to memory of 1884	3752	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	explorer.exe
PID 3752 wrote to memory of 1884	3752	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	explorer.exe
PID 3752 wrote to memory of 1884	3752	29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe	explorer.exe
PID 1884 wrote to memory of 2164	1884	explorer.exe	explorer.exe
PID 1884 wrote to memory of 2164	1884	explorer.exe	explorer.exe
PID 1884 wrote to memory of 2164	1884	explorer.exe	explorer.exe
PID 1884 wrote to memory of 2164	1884	explorer.exe	explorer.exe
PID 1884 wrote to memory of 2164	1884	explorer.exe	explorer.exe
PID 1884 wrote to memory of 2164	1884	explorer.exe	explorer.exe
PID 1884 wrote to memory of 2164	1884	explorer.exe	explorer.exe
PID 1884 wrote to memory of 2164	1884	explorer.exe	explorer.exe
PID 1884 wrote to memory of 3872	1884	explorer.exe	diskperf.exe
PID 1884 wrote to memory of 3872	1884	explorer.exe	diskperf.exe
PID 1884 wrote to memory of 3872	1884	explorer.exe	diskperf.exe
PID 1884 wrote to memory of 3872	1884	explorer.exe	diskperf.exe
PID 1884 wrote to memory of 3872	1884	explorer.exe	diskperf.exe
PID 2164 wrote to memory of 1748	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 1748	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 1748	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 2860	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 2860	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 2860	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 2828	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 2828	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 2828	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3800	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3800	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3800	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 2296	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 2296	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 2296	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 2864	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 2864	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 2864	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3836	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3836	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3836	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 1952	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 1952	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 1952	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3312	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3312	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3312	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3716	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3716	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3716	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3212	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3212	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 3212	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 2492	2164	explorer.exe	spoolsv.exe
PID 2164 wrote to memory of 2492	2164	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
"C:\Users\Admin\AppData\Local\Temp\29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe
"C:\Users\Admin\AppData\Local\Temp\29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3752

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1884

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6648

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6724

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6744

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6812

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6832

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6908

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6892

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6972

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7088

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7124

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:640

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6780

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6808

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2608

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6904

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6956

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6964

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7056

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2580

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7000

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1580

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:7148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:1016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3996

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2628

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3008

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3852

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:6868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6944

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4160

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3556

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7044

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7160

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1424

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:804

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:6672

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:988

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:764

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7068

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1264

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:6992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:2656

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4584

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7156

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:7000

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:3696

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4484

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Suspicious use of SetWindowsHookEx
PID:4016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4672

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2256

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1372

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2500

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4348

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4724

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2656

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2816

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:3760

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4788

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4488

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4820

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2884

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4016

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4900

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4916

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1244

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:1008

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:7100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4964

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2816

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4656

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5012

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4840

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5048

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4872

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1328

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3768

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2176

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2100

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5112

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4968

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4172

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5016

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4220

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4852

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2144

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4264

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4312

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4376

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1864

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3768

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4136

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3364

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:1020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5200

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4836

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2792

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5084

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5276

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4376

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5116

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4184

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5164

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5364

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5260

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5408

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4120

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4280

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5460

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4376

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5492

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:4824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4332

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5364

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:4476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4384

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5572

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:5444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4508

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4524

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:4456

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4556

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:4332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:3940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:5540

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5236

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:6704

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:3872

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
ca44c4e684beb00dc8085b73edec55c8

SHA1
934b397db56b99409b8c553bce0859231d84ce07

SHA256
29ffd9d1b4ebe022b91dc7f4d27dd6415608d42dcefeffe95f479de4f74cd713

SHA512
0ebf4b939fadecb31a6f01911dccac3d96a62931f8f882d92a218654d0cfcb6de8d7e95ba572a90a4d648258ff5246b5e0f58e05362bec5e472bfe3509d60355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
dcc3ebdfe8953422de1fba6871719001

SHA1
bf54641404fd1f19f09756aa41d703e00d75e537

SHA256
c6d17498ac837a39363b52eb75fd07eebb434b28a8be78b0cede4c32ef6ba9a1

SHA512
7aa06e6fd67ed399d30b6896273cee03eefb89c6eb470efa0ae9cd1f3fda7c54b801b0eb06be8dcd9bc1a6e939f91726f87f7c5b86986e2490a7d548d645a9e7

Download Submit
C:\Windows\System\explorer.exe
MD5
dcc3ebdfe8953422de1fba6871719001

SHA1
bf54641404fd1f19f09756aa41d703e00d75e537

SHA256
c6d17498ac837a39363b52eb75fd07eebb434b28a8be78b0cede4c32ef6ba9a1

SHA512
7aa06e6fd67ed399d30b6896273cee03eefb89c6eb470efa0ae9cd1f3fda7c54b801b0eb06be8dcd9bc1a6e939f91726f87f7c5b86986e2490a7d548d645a9e7

Download Submit
C:\Windows\System\explorer.exe
MD5
dcc3ebdfe8953422de1fba6871719001

SHA1
bf54641404fd1f19f09756aa41d703e00d75e537

SHA256
c6d17498ac837a39363b52eb75fd07eebb434b28a8be78b0cede4c32ef6ba9a1

SHA512
7aa06e6fd67ed399d30b6896273cee03eefb89c6eb470efa0ae9cd1f3fda7c54b801b0eb06be8dcd9bc1a6e939f91726f87f7c5b86986e2490a7d548d645a9e7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
C:\Windows\System\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
\??\c:\windows\system\explorer.exe
MD5
dcc3ebdfe8953422de1fba6871719001

SHA1
bf54641404fd1f19f09756aa41d703e00d75e537

SHA256
c6d17498ac837a39363b52eb75fd07eebb434b28a8be78b0cede4c32ef6ba9a1

SHA512
7aa06e6fd67ed399d30b6896273cee03eefb89c6eb470efa0ae9cd1f3fda7c54b801b0eb06be8dcd9bc1a6e939f91726f87f7c5b86986e2490a7d548d645a9e7

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
05734379cc16659071946ccffe1719a7

SHA1
75baa74999bea191a67a474b76192c4326476a38

SHA256
d069b5aa3f23b03a5ab6003ec1b961361894b3ade8c55220de96d3b8cb2b5baa

SHA512
0d93e2a0a8c9c62e1241b57f5ada895cc8e4c056f776ecd4ae974138247e50b4287be9b4e7eddcd5534c5a140e9627f3cd373d8cef1db6cf09e788175838046d

Download Submit
memory/396-246-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/396-241-0x0000000000000000-mapping.dmp

Download
memory/416-209-0x0000000000000000-mapping.dmp

Download
memory/416-213-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/420-199-0x0000000000000000-mapping.dmp

Download
memory/420-202-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/568-277-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/568-271-0x0000000000000000-mapping.dmp

Download
memory/648-239-0x0000000000000000-mapping.dmp

Download
memory/648-245-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/996-190-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/996-184-0x0000000000000000-mapping.dmp

Download
memory/1116-247-0x0000000000000000-mapping.dmp

Download
memory/1116-255-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1244-253-0x0000000000000000-mapping.dmp

Download
memory/1244-256-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1264-216-0x0000000000000000-mapping.dmp

Download
memory/1264-223-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1316-282-0x0000000000000000-mapping.dmp

Download
memory/1316-287-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1588-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1588-118-0x0000000000411000-mapping.dmp

Download
memory/1588-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1684-214-0x0000000000000000-mapping.dmp

Download
memory/1684-222-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1748-149-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1748-144-0x0000000000000000-mapping.dmp

Download
memory/1852-114-0x0000000000630000-0x000000000077A000-memory.dmp

Filesize
1.3MB

Download
memory/1884-124-0x0000000000000000-mapping.dmp

Download
memory/1884-129-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1952-165-0x0000000000000000-mapping.dmp

Download
memory/2064-243-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2064-235-0x0000000000000000-mapping.dmp

Download
memory/2100-278-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2100-273-0x0000000000000000-mapping.dmp

Download
memory/2164-131-0x0000000000403670-mapping.dmp

Download
memory/2296-162-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/2296-155-0x0000000000000000-mapping.dmp

Download
memory/2492-176-0x0000000000000000-mapping.dmp

Download
memory/2508-261-0x0000000000000000-mapping.dmp

Download
memory/2508-269-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/2584-192-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2584-188-0x0000000000000000-mapping.dmp

Download
memory/2588-178-0x0000000000000000-mapping.dmp

Download
memory/2588-183-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2624-259-0x0000000000000000-mapping.dmp

Download
memory/2624-267-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2668-205-0x0000000000000000-mapping.dmp

Download
memory/2668-211-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2828-151-0x0000000000000000-mapping.dmp

Download
memory/2860-150-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2860-147-0x0000000000000000-mapping.dmp

Download
memory/2864-157-0x0000000000000000-mapping.dmp

Download
memory/2864-160-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2876-280-0x0000000000000000-mapping.dmp

Download
memory/2876-286-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2884-249-0x0000000000000000-mapping.dmp

Download
memory/2884-257-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2928-226-0x0000000000000000-mapping.dmp

Download
memory/2928-232-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2996-207-0x0000000000000000-mapping.dmp

Download
memory/2996-212-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3088-234-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3088-230-0x0000000000000000-mapping.dmp

Download
memory/3192-279-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/3192-275-0x0000000000000000-mapping.dmp

Download
memory/3212-174-0x0000000000000000-mapping.dmp

Download
memory/3212-181-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3312-167-0x0000000000000000-mapping.dmp

Download
memory/3312-170-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3356-251-0x0000000000000000-mapping.dmp

Download
memory/3356-258-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/3512-233-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3512-228-0x0000000000000000-mapping.dmp

Download
memory/3544-191-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3544-186-0x0000000000000000-mapping.dmp

Download
memory/3552-268-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3552-265-0x0000000000000000-mapping.dmp

Download
memory/3708-193-0x0000000000000000-mapping.dmp

Download
memory/3708-201-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3716-180-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3716-172-0x0000000000000000-mapping.dmp

Download
memory/3752-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3752-116-0x0000000000403670-mapping.dmp

Download
memory/3752-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3788-270-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3788-263-0x0000000000000000-mapping.dmp

Download
memory/3800-161-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/3800-153-0x0000000000000000-mapping.dmp

Download
memory/3836-163-0x0000000000000000-mapping.dmp

Download
memory/3836-169-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3856-218-0x0000000000000000-mapping.dmp

Download
memory/3872-136-0x0000000000411000-mapping.dmp

Download
memory/3944-225-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3944-220-0x0000000000000000-mapping.dmp

Download
memory/3980-195-0x0000000000000000-mapping.dmp

Download
memory/3980-203-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4064-197-0x0000000000000000-mapping.dmp

Download
memory/4064-204-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4088-244-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4088-237-0x0000000000000000-mapping.dmp

Download
memory/4104-284-0x0000000000000000-mapping.dmp

Download
memory/4104-288-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4140-289-0x0000000000000000-mapping.dmp

Download
memory/4140-297-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4164-299-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4164-291-0x0000000000000000-mapping.dmp

Download
memory/4188-300-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4188-293-0x0000000000000000-mapping.dmp

Download
memory/4212-295-0x0000000000000000-mapping.dmp

Download
memory/4212-298-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4252-307-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4252-301-0x0000000000000000-mapping.dmp

Download
memory/4276-303-0x0000000000000000-mapping.dmp

Download
memory/4276-309-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4300-305-0x0000000000000000-mapping.dmp

Download
memory/4300-312-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4328-308-0x0000000000000000-mapping.dmp

Download
memory/4328-311-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4364-313-0x0000000000000000-mapping.dmp

Download
memory/4364-318-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4392-315-0x0000000000000000-mapping.dmp

Download
memory/4392-319-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/4416-317-0x0000000000000000-mapping.dmp

Download