warzonerat | 5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6

Analysis

max time kernel
143s
max time network
14s
platform
windows7_x64
resource
win7v20210410
submitted
16-05-2021 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
Size

1.8MB
MD5

bd446939da29c3ec6450c05da7ad5db5
SHA1

3a80891a8262beb59976fcad4cb12f2e183619bc
SHA256

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6
SHA512

23c1ccb734415590aaeb10d3886c92394fd4780c57a4991123b040ed15fffc9d5dc6effea7536671eb694641db135bdce29615f48ee6a73575da158539d1bf3b

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1808	explorer.exe
1172	explorer.exe
524	spoolsv.exe
1648	spoolsv.exe
860	spoolsv.exe
1900	spoolsv.exe
2012	spoolsv.exe
1616	spoolsv.exe
1532	spoolsv.exe
1588	spoolsv.exe
908	spoolsv.exe
1440	spoolsv.exe
1080	spoolsv.exe
2040	spoolsv.exe
1220	spoolsv.exe
1244	spoolsv.exe
1676	spoolsv.exe
1060	spoolsv.exe
1808	spoolsv.exe
552	spoolsv.exe
1052	spoolsv.exe
840	spoolsv.exe
1340	spoolsv.exe
1756	spoolsv.exe
1368	spoolsv.exe
1764	spoolsv.exe
1596	spoolsv.exe
1652	spoolsv.exe
1216	spoolsv.exe
616	spoolsv.exe
1360	spoolsv.exe
1912	spoolsv.exe
1760	spoolsv.exe
604	spoolsv.exe
1600	spoolsv.exe
400	spoolsv.exe
1508	spoolsv.exe
1740	spoolsv.exe
1180	spoolsv.exe
1156	spoolsv.exe
1504	spoolsv.exe
932	spoolsv.exe
972	spoolsv.exe
1796	spoolsv.exe
1492	spoolsv.exe
1612	spoolsv.exe
1716	spoolsv.exe
852	spoolsv.exe
1960	spoolsv.exe
1388	spoolsv.exe
680	spoolsv.exe
1904	spoolsv.exe
1236	spoolsv.exe
1728	spoolsv.exe
1264	spoolsv.exe
1780	spoolsv.exe
1664	spoolsv.exe
1092	spoolsv.exe
1608	spoolsv.exe
1768	spoolsv.exe
948	spoolsv.exe
1352	spoolsv.exe
1632	spoolsv.exe
764	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exeexplorer.exe

pid	process
1220	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
1220	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe

Adds Run key to start application 2 TTPs 43 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2040 set thread context of 1220	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 2040 set thread context of 800	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	diskperf.exe
PID 1808 set thread context of 1172	1808	explorer.exe	explorer.exe
PID 1808 set thread context of 924	1808	explorer.exe	diskperf.exe
PID 524 set thread context of 3328	524	spoolsv.exe	spoolsv.exe
PID 524 set thread context of 3336	524	spoolsv.exe	diskperf.exe
PID 1648 set thread context of 3376	1648	spoolsv.exe	spoolsv.exe
PID 1648 set thread context of 3384	1648	spoolsv.exe	diskperf.exe
PID 860 set thread context of 3412	860	spoolsv.exe	spoolsv.exe
PID 860 set thread context of 3420	860	spoolsv.exe	diskperf.exe
PID 1900 set thread context of 3448	1900	spoolsv.exe	spoolsv.exe
PID 1900 set thread context of 3456	1900	spoolsv.exe	diskperf.exe
PID 2012 set thread context of 3484	2012	spoolsv.exe	spoolsv.exe
PID 2012 set thread context of 3492	2012	spoolsv.exe	diskperf.exe
PID 1616 set thread context of 3520	1616	spoolsv.exe	spoolsv.exe
PID 1616 set thread context of 3528	1616	spoolsv.exe	diskperf.exe
PID 1532 set thread context of 3556	1532	spoolsv.exe	spoolsv.exe
PID 1532 set thread context of 3564	1532	spoolsv.exe	diskperf.exe
PID 1588 set thread context of 3592	1588	spoolsv.exe	spoolsv.exe
PID 1588 set thread context of 3600	1588	spoolsv.exe	diskperf.exe
PID 908 set thread context of 3628	908	spoolsv.exe	spoolsv.exe
PID 908 set thread context of 3636	908	spoolsv.exe	diskperf.exe
PID 1440 set thread context of 3664	1440	spoolsv.exe	spoolsv.exe
PID 1440 set thread context of 3672	1440	spoolsv.exe	diskperf.exe
PID 1080 set thread context of 3700	1080	spoolsv.exe	spoolsv.exe
PID 1080 set thread context of 3708	1080	spoolsv.exe	diskperf.exe
PID 2040 set thread context of 3736	2040	spoolsv.exe	spoolsv.exe
PID 2040 set thread context of 3744	2040	spoolsv.exe	diskperf.exe
PID 1220 set thread context of 3772	1220	spoolsv.exe	spoolsv.exe
PID 1220 set thread context of 3792	1220	spoolsv.exe	diskperf.exe
PID 1244 set thread context of 3800	1244	spoolsv.exe	spoolsv.exe
PID 1244 set thread context of 3808	1244	spoolsv.exe	diskperf.exe
PID 1676 set thread context of 3836	1676	spoolsv.exe	spoolsv.exe
PID 1676 set thread context of 3844	1676	spoolsv.exe	diskperf.exe
PID 1060 set thread context of 3864	1060	spoolsv.exe	spoolsv.exe
PID 1060 set thread context of 3872	1060	spoolsv.exe	diskperf.exe
PID 1808 set thread context of 3900	1808	spoolsv.exe	spoolsv.exe
PID 1808 set thread context of 3908	1808	spoolsv.exe	diskperf.exe
PID 552 set thread context of 3928	552	spoolsv.exe	spoolsv.exe
PID 552 set thread context of 3936	552	spoolsv.exe	diskperf.exe
PID 1052 set thread context of 3956	1052	spoolsv.exe	spoolsv.exe
PID 1052 set thread context of 3964	1052	spoolsv.exe	diskperf.exe
PID 840 set thread context of 3984	840	spoolsv.exe	spoolsv.exe
PID 840 set thread context of 3992	840	spoolsv.exe	diskperf.exe
PID 1340 set thread context of 4020	1340	spoolsv.exe	spoolsv.exe
PID 1756 set thread context of 4028	1756	spoolsv.exe	spoolsv.exe
PID 1340 set thread context of 4036	1340	spoolsv.exe	diskperf.exe
PID 1756 set thread context of 4056	1756	spoolsv.exe	diskperf.exe
PID 1368 set thread context of 4064	1368	spoolsv.exe	spoolsv.exe
PID 1764 set thread context of 4072	1764	spoolsv.exe	spoolsv.exe
PID 1764 set thread context of 4088	1764	spoolsv.exe	diskperf.exe
PID 1368 set thread context of 4080	1368	spoolsv.exe	diskperf.exe
PID 1596 set thread context of 388	1596	spoolsv.exe	spoolsv.exe
PID 1596 set thread context of 320	1596	spoolsv.exe	diskperf.exe
PID 1652 set thread context of 688	1652	spoolsv.exe	spoolsv.exe
PID 1216 set thread context of 3392	1216	spoolsv.exe	spoolsv.exe
PID 1652 set thread context of 440	1652	spoolsv.exe	diskperf.exe
PID 1216 set thread context of 3444	1216	spoolsv.exe	diskperf.exe
PID 616 set thread context of 3416	616	spoolsv.exe	spoolsv.exe
PID 616 set thread context of 3480	616	spoolsv.exe	diskperf.exe
PID 1360 set thread context of 3488	1360	spoolsv.exe	spoolsv.exe
PID 1360 set thread context of 3500	1360	spoolsv.exe	diskperf.exe
PID 1912 set thread context of 1620	1912	spoolsv.exe	spoolsv.exe
PID 1912 set thread context of 3524	1912	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exeexplorer.exe

pid	process
1220	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1172 explorer.exe

pid	process
1172	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1220	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
1220	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
3328	spoolsv.exe
3328	spoolsv.exe
3376	spoolsv.exe
3376	spoolsv.exe
3412	spoolsv.exe
3412	spoolsv.exe
3448	spoolsv.exe
3448	spoolsv.exe
3484	spoolsv.exe
3484	spoolsv.exe
3520	spoolsv.exe
3520	spoolsv.exe
3556	spoolsv.exe
3556	spoolsv.exe
3592	spoolsv.exe
3592	spoolsv.exe
3628	spoolsv.exe
3628	spoolsv.exe
3664	spoolsv.exe
3664	spoolsv.exe
3700	spoolsv.exe
3700	spoolsv.exe
3736	spoolsv.exe
3736	spoolsv.exe
3772	spoolsv.exe
3772	spoolsv.exe
3800	spoolsv.exe
3800	spoolsv.exe
3836	spoolsv.exe
3836	spoolsv.exe
3864	spoolsv.exe
3864	spoolsv.exe
3900	spoolsv.exe
3900	spoolsv.exe
3928	spoolsv.exe
3928	spoolsv.exe
3956	spoolsv.exe
3956	spoolsv.exe
3984	spoolsv.exe
3984	spoolsv.exe
4020	spoolsv.exe
4020	spoolsv.exe
4028	spoolsv.exe
4028	spoolsv.exe
4072	spoolsv.exe
4072	spoolsv.exe
4064	spoolsv.exe
4064	spoolsv.exe
388	spoolsv.exe
388	spoolsv.exe
3392	spoolsv.exe
688	spoolsv.exe
688	spoolsv.exe
3392	spoolsv.exe
3416	spoolsv.exe
3416	spoolsv.exe
3488	spoolsv.exe
3488	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2040 wrote to memory of 1220	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 2040 wrote to memory of 1220	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 2040 wrote to memory of 1220	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 2040 wrote to memory of 1220	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 2040 wrote to memory of 1220	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 2040 wrote to memory of 1220	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 2040 wrote to memory of 1220	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 2040 wrote to memory of 1220	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 2040 wrote to memory of 1220	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 2040 wrote to memory of 800	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	diskperf.exe
PID 2040 wrote to memory of 800	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	diskperf.exe
PID 2040 wrote to memory of 800	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	diskperf.exe
PID 2040 wrote to memory of 800	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	diskperf.exe
PID 2040 wrote to memory of 800	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	diskperf.exe
PID 2040 wrote to memory of 800	2040	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	diskperf.exe
PID 1220 wrote to memory of 1808	1220	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	explorer.exe
PID 1220 wrote to memory of 1808	1220	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	explorer.exe
PID 1220 wrote to memory of 1808	1220	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	explorer.exe
PID 1220 wrote to memory of 1808	1220	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	explorer.exe
PID 1808 wrote to memory of 1172	1808	explorer.exe	explorer.exe
PID 1808 wrote to memory of 1172	1808	explorer.exe	explorer.exe
PID 1808 wrote to memory of 1172	1808	explorer.exe	explorer.exe
PID 1808 wrote to memory of 1172	1808	explorer.exe	explorer.exe
PID 1808 wrote to memory of 1172	1808	explorer.exe	explorer.exe
PID 1808 wrote to memory of 1172	1808	explorer.exe	explorer.exe
PID 1808 wrote to memory of 1172	1808	explorer.exe	explorer.exe
PID 1808 wrote to memory of 1172	1808	explorer.exe	explorer.exe
PID 1808 wrote to memory of 1172	1808	explorer.exe	explorer.exe
PID 1808 wrote to memory of 924	1808	explorer.exe	diskperf.exe
PID 1808 wrote to memory of 924	1808	explorer.exe	diskperf.exe
PID 1808 wrote to memory of 924	1808	explorer.exe	diskperf.exe
PID 1808 wrote to memory of 924	1808	explorer.exe	diskperf.exe
PID 1808 wrote to memory of 924	1808	explorer.exe	diskperf.exe
PID 1808 wrote to memory of 924	1808	explorer.exe	diskperf.exe
PID 1172 wrote to memory of 524	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 524	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 524	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 524	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1648	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1648	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1648	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1648	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 860	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 860	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 860	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 860	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1900	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1900	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1900	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1900	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 2012	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 2012	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 2012	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 2012	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1616	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1616	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1616	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1616	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1532	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1532	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1532	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1532	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1588	1172	explorer.exe	spoolsv.exe
PID 1172 wrote to memory of 1588	1172	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
"C:\Users\Admin\AppData\Local\Temp\5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
  "C:\Users\Admin\AppData\Local\Temp\5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1220
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:524
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3328
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3368
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1648
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3376
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3396
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:860
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3412
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3432
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1900
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3448
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3468
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2012
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3484
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3504
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1616
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3520
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3540
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1532
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3556
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3576
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1588
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3592
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3620
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:908
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3628
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3648
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1440
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3664
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3684
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1080
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3700
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3720
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2040
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3736
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3756
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1220
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3772
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3784
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1244
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3800
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3820
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1676
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3836
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3856
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1060
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3864
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3892
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1808
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3900
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3920
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:552
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3928
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3948
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1052
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3956
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3976
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:840
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3984
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4012
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1340
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4020
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4048
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1756
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4028
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1368
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4064
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1764
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4088
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1596
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:320
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1652
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:688
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1216
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3444
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3392
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:616
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3416
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1360
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3488
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1912
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3524
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1760
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3548
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:604
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3612
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1600
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3596
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:400
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1628
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1104
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1508
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3668
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:968
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1740
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1072
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3740
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1180
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2004
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1156
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3704
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3840
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1504
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1684
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:932
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3832
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3928
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:972
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3888
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4008
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1796
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3868
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1492
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:936
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1612
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:268
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1716
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:388
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2036
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:852
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3616
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1960
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4076
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1388
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3360
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:680
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4024
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:660
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1904
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1364
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1236
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4064
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1728
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4104
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1264
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3956
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1780
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2016
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1664
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3944
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1092
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4152
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1608
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3852
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1768
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4128
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:948
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3716
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:368
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1352
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3800
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1632
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3776
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3700
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:764
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4112
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1140
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1056
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1512
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1496
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4172
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1636
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3880
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1120
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1964
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3904
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:820
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1640
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2052
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1164
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2060
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:112
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2068
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4144
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4196
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2076
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4120
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3344
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:924
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:800

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:1184

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
bd446939da29c3ec6450c05da7ad5db5

SHA1
3a80891a8262beb59976fcad4cb12f2e183619bc

SHA256
5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6

SHA512
23c1ccb734415590aaeb10d3886c92394fd4780c57a4991123b040ed15fffc9d5dc6effea7536671eb694641db135bdce29615f48ee6a73575da158539d1bf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
66b33f2715c355d6c20de712946b0eb5

SHA1
99c43a9977d21aee73bd02a6422127a519572396

SHA256
ed877495af60cb381ff2e35058615aeb40e2f7e3e624311f7d7fe1917358bc60

SHA512
4cdb326c9bb1625416a308ebb79836b472c0666ba277f7644c2811bdca766a92bb968c228b2f153c787bc7a4946e98dd9b983f550378a107e23dc44dea2872fe

Download Submit
C:\Windows\system\explorer.exe

MD5
66b33f2715c355d6c20de712946b0eb5

SHA1
99c43a9977d21aee73bd02a6422127a519572396

SHA256
ed877495af60cb381ff2e35058615aeb40e2f7e3e624311f7d7fe1917358bc60

SHA512
4cdb326c9bb1625416a308ebb79836b472c0666ba277f7644c2811bdca766a92bb968c228b2f153c787bc7a4946e98dd9b983f550378a107e23dc44dea2872fe

Download Submit
C:\Windows\system\explorer.exe

MD5
66b33f2715c355d6c20de712946b0eb5

SHA1
99c43a9977d21aee73bd02a6422127a519572396

SHA256
ed877495af60cb381ff2e35058615aeb40e2f7e3e624311f7d7fe1917358bc60

SHA512
4cdb326c9bb1625416a308ebb79836b472c0666ba277f7644c2811bdca766a92bb968c228b2f153c787bc7a4946e98dd9b983f550378a107e23dc44dea2872fe

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
C:\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\??\c:\windows\system\explorer.exe

MD5
66b33f2715c355d6c20de712946b0eb5

SHA1
99c43a9977d21aee73bd02a6422127a519572396

SHA256
ed877495af60cb381ff2e35058615aeb40e2f7e3e624311f7d7fe1917358bc60

SHA512
4cdb326c9bb1625416a308ebb79836b472c0666ba277f7644c2811bdca766a92bb968c228b2f153c787bc7a4946e98dd9b983f550378a107e23dc44dea2872fe

Download Submit
\Windows\system\explorer.exe

MD5
66b33f2715c355d6c20de712946b0eb5

SHA1
99c43a9977d21aee73bd02a6422127a519572396

SHA256
ed877495af60cb381ff2e35058615aeb40e2f7e3e624311f7d7fe1917358bc60

SHA512
4cdb326c9bb1625416a308ebb79836b472c0666ba277f7644c2811bdca766a92bb968c228b2f153c787bc7a4946e98dd9b983f550378a107e23dc44dea2872fe

Download Submit
\Windows\system\explorer.exe

MD5
66b33f2715c355d6c20de712946b0eb5

SHA1
99c43a9977d21aee73bd02a6422127a519572396

SHA256
ed877495af60cb381ff2e35058615aeb40e2f7e3e624311f7d7fe1917358bc60

SHA512
4cdb326c9bb1625416a308ebb79836b472c0666ba277f7644c2811bdca766a92bb968c228b2f153c787bc7a4946e98dd9b983f550378a107e23dc44dea2872fe

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
\Windows\system\spoolsv.exe

MD5
9fa6245c28dfc1a59afe940cf41d4610

SHA1
9a4c9190a9e4dbe49d13d7a81fcdcfa383dc1bfa

SHA256
9421f06bfea2268b2dc2ccf9a95e44aaf1b6060bd5bbcd91e25f25a84d14eb85

SHA512
4af745392d59e365f5f1ab839d6b7bfbdd7d7c4ab6e1eb92776167d7eb600fb194e9997cbdec820323a009ecc98c3348e46c1daccb88e59514c3a6b60f1ac5c6

Download Submit
memory/400-247-0x0000000000000000-mapping.dmp

Download
memory/524-93-0x0000000000000000-mapping.dmp

Download
memory/524-98-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/552-196-0x0000000000000000-mapping.dmp

Download
memory/552-206-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/604-243-0x0000000000000000-mapping.dmp

Download
memory/604-259-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/616-228-0x0000000000000000-mapping.dmp

Download
memory/616-239-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/680-292-0x0000000000000000-mapping.dmp

Download
memory/800-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/800-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/800-67-0x0000000000411000-mapping.dmp

Download
memory/840-205-0x0000000000000000-mapping.dmp

Download
memory/840-217-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/852-279-0x0000000000000000-mapping.dmp

Download
memory/860-116-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/860-106-0x0000000000000000-mapping.dmp

Download
memory/908-146-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/908-141-0x0000000000000000-mapping.dmp

Download
memory/924-85-0x0000000000411000-mapping.dmp

Download
memory/932-267-0x0000000000000000-mapping.dmp

Download
memory/932-281-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/948-310-0x0000000000000000-mapping.dmp

Download
memory/972-269-0x0000000000000000-mapping.dmp

Download
memory/972-282-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1052-201-0x0000000000000000-mapping.dmp

Download
memory/1060-188-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1060-184-0x0000000000000000-mapping.dmp

Download
memory/1080-163-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1080-154-0x0000000000000000-mapping.dmp

Download
memory/1092-307-0x0000000000000000-mapping.dmp

Download
memory/1156-255-0x0000000000000000-mapping.dmp

Download
memory/1156-266-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1172-80-0x0000000000403670-mapping.dmp

Download
memory/1180-253-0x0000000000000000-mapping.dmp

Download
memory/1180-265-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1216-226-0x0000000000000000-mapping.dmp

Download
memory/1220-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1220-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1220-167-0x0000000000000000-mapping.dmp

Download
memory/1220-62-0x0000000000403670-mapping.dmp

Download
memory/1236-294-0x0000000000000000-mapping.dmp

Download
memory/1236-303-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1244-172-0x0000000000000000-mapping.dmp

Download
memory/1244-179-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1264-296-0x0000000000000000-mapping.dmp

Download
memory/1340-209-0x0000000000000000-mapping.dmp

Download
memory/1360-230-0x0000000000000000-mapping.dmp

Download
memory/1360-240-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1368-213-0x0000000000000000-mapping.dmp

Download
memory/1388-290-0x0000000000000000-mapping.dmp

Download
memory/1388-298-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/1440-161-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1440-149-0x0000000000000000-mapping.dmp

Download
memory/1492-284-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1492-273-0x0000000000000000-mapping.dmp

Download
memory/1504-257-0x0000000000000000-mapping.dmp

Download
memory/1508-249-0x0000000000000000-mapping.dmp

Download
memory/1508-263-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1532-130-0x0000000000000000-mapping.dmp

Download
memory/1532-144-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1588-145-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1588-136-0x0000000000000000-mapping.dmp

Download
memory/1596-222-0x0000000000000000-mapping.dmp

Download
memory/1600-261-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1600-245-0x0000000000000000-mapping.dmp

Download
memory/1608-308-0x0000000000000000-mapping.dmp

Download
memory/1612-275-0x0000000000000000-mapping.dmp

Download
memory/1612-285-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1616-124-0x0000000000000000-mapping.dmp

Download
memory/1616-131-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1648-114-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1648-101-0x0000000000000000-mapping.dmp

Download
memory/1652-224-0x0000000000000000-mapping.dmp

Download
memory/1652-237-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1664-311-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1664-306-0x0000000000000000-mapping.dmp

Download
memory/1676-178-0x0000000000000000-mapping.dmp

Download
memory/1676-187-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1716-277-0x0000000000000000-mapping.dmp

Download
memory/1716-286-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1728-295-0x0000000000000000-mapping.dmp

Download
memory/1728-304-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1740-264-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1740-251-0x0000000000000000-mapping.dmp

Download
memory/1756-219-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1756-211-0x0000000000000000-mapping.dmp

Download
memory/1760-234-0x0000000000000000-mapping.dmp

Download
memory/1764-221-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1764-215-0x0000000000000000-mapping.dmp

Download
memory/1768-309-0x0000000000000000-mapping.dmp

Download
memory/1780-299-0x0000000000000000-mapping.dmp

Download
memory/1796-271-0x0000000000000000-mapping.dmp

Download
memory/1796-283-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1808-191-0x0000000000000000-mapping.dmp

Download
memory/1808-72-0x0000000000000000-mapping.dmp

Download
memory/1808-204-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1808-77-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1900-115-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1900-111-0x0000000000000000-mapping.dmp

Download
memory/1904-293-0x0000000000000000-mapping.dmp

Download
memory/1904-301-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1912-232-0x0000000000000000-mapping.dmp

Download
memory/1912-241-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1960-288-0x0000000000000000-mapping.dmp

Download
memory/2012-119-0x0000000000000000-mapping.dmp

Download
memory/2012-127-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2040-159-0x0000000000000000-mapping.dmp

Download
memory/2040-164-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2040-59-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/2040-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download