warzonerat | 5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6

Analysis

max time kernel
150s
max time network
46s
platform
windows10_x64
resource
win10v20210408
submitted
16-05-2021 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
Size

1.8MB
MD5

bd446939da29c3ec6450c05da7ad5db5
SHA1

3a80891a8262beb59976fcad4cb12f2e183619bc
SHA256

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6
SHA512

23c1ccb734415590aaeb10d3886c92394fd4780c57a4991123b040ed15fffc9d5dc6effea7536671eb694641db135bdce29615f48ee6a73575da158539d1bf3b

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3972	explorer.exe
3640	explorer.exe
3976	spoolsv.exe
3760	spoolsv.exe
1564	spoolsv.exe
2020	spoolsv.exe
2380	spoolsv.exe
1916	spoolsv.exe
1772	spoolsv.exe
4032	spoolsv.exe
3096	spoolsv.exe
4072	spoolsv.exe
2884	spoolsv.exe
2876	spoolsv.exe
2324	spoolsv.exe
3668	spoolsv.exe
3584	spoolsv.exe
2788	spoolsv.exe
1460	spoolsv.exe
3416	spoolsv.exe
3828	spoolsv.exe
2716	spoolsv.exe
2288	spoolsv.exe
3496	spoolsv.exe
512	spoolsv.exe
204	spoolsv.exe
2648	spoolsv.exe
3288	spoolsv.exe
3884	spoolsv.exe
1576	spoolsv.exe
420	spoolsv.exe
2220	spoolsv.exe
3624	spoolsv.exe
2276	spoolsv.exe
3468	spoolsv.exe
1988	spoolsv.exe
2412	spoolsv.exe
1832	spoolsv.exe
1252	spoolsv.exe
3156	spoolsv.exe
1480	spoolsv.exe
3920	spoolsv.exe
2664	spoolsv.exe
1736	spoolsv.exe
3348	spoolsv.exe
3036	spoolsv.exe
940	spoolsv.exe
3576	spoolsv.exe
4120	spoolsv.exe
4144	spoolsv.exe
4168	spoolsv.exe
4208	spoolsv.exe
4232	spoolsv.exe
4256	spoolsv.exe
4292	spoolsv.exe
4316	spoolsv.exe
4340	spoolsv.exe
4368	spoolsv.exe
4400	spoolsv.exe
4424	spoolsv.exe
4448	spoolsv.exe
4480	spoolsv.exe
4496	spoolsv.exe
4512	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 3628 set thread context of 200	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 3628 set thread context of 3620	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	diskperf.exe
PID 3972 set thread context of 3640	3972	explorer.exe	explorer.exe
PID 3972 set thread context of 1216	3972	explorer.exe	diskperf.exe
PID 3976 set thread context of 6816	3976	spoolsv.exe	spoolsv.exe
PID 3976 set thread context of 6848	3976	spoolsv.exe	diskperf.exe
PID 3760 set thread context of 6900	3760	spoolsv.exe	spoolsv.exe
PID 3760 set thread context of 6932	3760	spoolsv.exe	diskperf.exe
PID 1564 set thread context of 7012	1564	spoolsv.exe	spoolsv.exe
PID 2020 set thread context of 7036	2020	spoolsv.exe	spoolsv.exe
PID 2380 set thread context of 7112	2380	spoolsv.exe	spoolsv.exe
PID 2380 set thread context of 7132	2380	spoolsv.exe	diskperf.exe
PID 1916 set thread context of 7144	1916	spoolsv.exe	spoolsv.exe
PID 1916 set thread context of 2720	1916	spoolsv.exe	diskperf.exe
PID 1772 set thread context of 196	1772	spoolsv.exe	spoolsv.exe
PID 4032 set thread context of 2100	4032	spoolsv.exe	spoolsv.exe
PID 1772 set thread context of 2336	1772	spoolsv.exe	diskperf.exe
PID 4032 set thread context of 6860	4032	spoolsv.exe	diskperf.exe
PID 3096 set thread context of 7020	3096	spoolsv.exe	spoolsv.exe
PID 3096 set thread context of 7084	3096	spoolsv.exe	diskperf.exe
PID 4072 set thread context of 7124	4072	spoolsv.exe	spoolsv.exe
PID 4072 set thread context of 7140	4072	spoolsv.exe	diskperf.exe
PID 2884 set thread context of 1180	2884	spoolsv.exe	spoolsv.exe
PID 2884 set thread context of 6864	2884	spoolsv.exe	diskperf.exe
PID 2876 set thread context of 6940	2876	spoolsv.exe	spoolsv.exe
PID 2876 set thread context of 3240	2876	spoolsv.exe	diskperf.exe
PID 2324 set thread context of 2184	2324	spoolsv.exe	spoolsv.exe
PID 3668 set thread context of 1008	3668	spoolsv.exe	spoolsv.exe
PID 3668 set thread context of 1892	3668	spoolsv.exe	diskperf.exe
PID 3584 set thread context of 7100	3584	spoolsv.exe	spoolsv.exe
PID 3584 set thread context of 7040	3584	spoolsv.exe	diskperf.exe
PID 2788 set thread context of 2492	2788	spoolsv.exe	spoolsv.exe
PID 2788 set thread context of 7156	2788	spoolsv.exe	diskperf.exe
PID 1460 set thread context of 6968	1460	spoolsv.exe	spoolsv.exe
PID 3416 set thread context of 6904	3416	spoolsv.exe	spoolsv.exe
PID 3416 set thread context of 3772	3416	spoolsv.exe	diskperf.exe
PID 3828 set thread context of 2624	3828	spoolsv.exe	spoolsv.exe
PID 3828 set thread context of 2196	3828	spoolsv.exe	diskperf.exe
PID 2716 set thread context of 3628	2716	spoolsv.exe	spoolsv.exe
PID 2716 set thread context of 3328	2716	spoolsv.exe	diskperf.exe
PID 2288 set thread context of 4508	2288	spoolsv.exe	spoolsv.exe
PID 2288 set thread context of 1488	2288	spoolsv.exe	diskperf.exe
PID 3496 set thread context of 2308	3496	spoolsv.exe	spoolsv.exe
PID 512 set thread context of 4572	512	spoolsv.exe	spoolsv.exe
PID 512 set thread context of 3392	512	spoolsv.exe	diskperf.exe
PID 204 set thread context of 3192	204	spoolsv.exe	spoolsv.exe
PID 204 set thread context of 4520	204	spoolsv.exe	diskperf.exe
PID 2648 set thread context of 4636	2648	spoolsv.exe	spoolsv.exe
PID 2648 set thread context of 3552	2648	spoolsv.exe	diskperf.exe
PID 3288 set thread context of 6896	3288	spoolsv.exe	spoolsv.exe
PID 3288 set thread context of 4584	3288	spoolsv.exe	diskperf.exe
PID 3884 set thread context of 2296	3884	spoolsv.exe	spoolsv.exe
PID 3884 set thread context of 4508	3884	spoolsv.exe	diskperf.exe
PID 1576 set thread context of 3376	1576	spoolsv.exe	spoolsv.exe
PID 1576 set thread context of 4728	1576	spoolsv.exe	diskperf.exe
PID 420 set thread context of 3888	420	spoolsv.exe	spoolsv.exe
PID 420 set thread context of 4764	420	spoolsv.exe	diskperf.exe
PID 2220 set thread context of 2296	2220	spoolsv.exe	spoolsv.exe
PID 2220 set thread context of 4776	2220	spoolsv.exe	diskperf.exe
PID 3624 set thread context of 4748	3624	spoolsv.exe	spoolsv.exe
PID 3624 set thread context of 4732	3624	spoolsv.exe	diskperf.exe
PID 2276 set thread context of 4760	2276	spoolsv.exe	spoolsv.exe
PID 2276 set thread context of 4860	2276	spoolsv.exe	diskperf.exe
PID 3468 set thread context of 2296	3468	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exe5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exeexplorer.exe

pid	process
200	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
200	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

3640 explorer.exe

pid	process
3640	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
200	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
200	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
3640	explorer.exe
6816	spoolsv.exe
6816	spoolsv.exe
6900	spoolsv.exe
6900	spoolsv.exe
7012	spoolsv.exe
7036	spoolsv.exe
7012	spoolsv.exe
7036	spoolsv.exe
7112	spoolsv.exe
7144	spoolsv.exe
7112	spoolsv.exe
7144	spoolsv.exe
2100	spoolsv.exe
196	spoolsv.exe
2100	spoolsv.exe
7020	spoolsv.exe
7020	spoolsv.exe
196	spoolsv.exe
7124	spoolsv.exe
7124	spoolsv.exe
1180	spoolsv.exe
1180	spoolsv.exe
6940	spoolsv.exe
6940	spoolsv.exe
2184	spoolsv.exe
2184	spoolsv.exe
1008	spoolsv.exe
1008	spoolsv.exe
7100	spoolsv.exe
7100	spoolsv.exe
2492	spoolsv.exe
2492	spoolsv.exe
6968	spoolsv.exe
6968	spoolsv.exe
6904	spoolsv.exe
6904	spoolsv.exe
2624	spoolsv.exe
2624	spoolsv.exe
3628	spoolsv.exe
3628	spoolsv.exe
4508	spoolsv.exe
4508	spoolsv.exe
2308	spoolsv.exe
2308	spoolsv.exe
4572	spoolsv.exe
4572	spoolsv.exe
3192	spoolsv.exe
3192	spoolsv.exe
4636	spoolsv.exe
4636	spoolsv.exe
6896	spoolsv.exe
6896	spoolsv.exe
2296	spoolsv.exe
2296	spoolsv.exe
3376	spoolsv.exe
3376	spoolsv.exe
3888	spoolsv.exe
3888	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3628 wrote to memory of 200	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 3628 wrote to memory of 200	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 3628 wrote to memory of 200	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 3628 wrote to memory of 200	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 3628 wrote to memory of 200	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 3628 wrote to memory of 200	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 3628 wrote to memory of 200	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 3628 wrote to memory of 200	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
PID 3628 wrote to memory of 3620	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	diskperf.exe
PID 3628 wrote to memory of 3620	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	diskperf.exe
PID 3628 wrote to memory of 3620	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	diskperf.exe
PID 3628 wrote to memory of 3620	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	diskperf.exe
PID 3628 wrote to memory of 3620	3628	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	diskperf.exe
PID 200 wrote to memory of 3972	200	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	explorer.exe
PID 200 wrote to memory of 3972	200	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	explorer.exe
PID 200 wrote to memory of 3972	200	5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe	explorer.exe
PID 3972 wrote to memory of 3640	3972	explorer.exe	explorer.exe
PID 3972 wrote to memory of 3640	3972	explorer.exe	explorer.exe
PID 3972 wrote to memory of 3640	3972	explorer.exe	explorer.exe
PID 3972 wrote to memory of 3640	3972	explorer.exe	explorer.exe
PID 3972 wrote to memory of 3640	3972	explorer.exe	explorer.exe
PID 3972 wrote to memory of 3640	3972	explorer.exe	explorer.exe
PID 3972 wrote to memory of 3640	3972	explorer.exe	explorer.exe
PID 3972 wrote to memory of 3640	3972	explorer.exe	explorer.exe
PID 3972 wrote to memory of 1216	3972	explorer.exe	diskperf.exe
PID 3972 wrote to memory of 1216	3972	explorer.exe	diskperf.exe
PID 3972 wrote to memory of 1216	3972	explorer.exe	diskperf.exe
PID 3972 wrote to memory of 1216	3972	explorer.exe	diskperf.exe
PID 3972 wrote to memory of 1216	3972	explorer.exe	diskperf.exe
PID 3640 wrote to memory of 3976	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 3976	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 3976	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 3760	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 3760	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 3760	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 1564	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 1564	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 1564	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 2020	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 2020	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 2020	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 2380	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 2380	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 2380	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 1916	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 1916	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 1916	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 1772	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 1772	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 1772	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 4032	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 4032	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 4032	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 3096	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 3096	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 3096	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 4072	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 4072	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 4072	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 2884	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 2884	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 2884	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 2876	3640	explorer.exe	spoolsv.exe
PID 3640 wrote to memory of 2876	3640	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
"C:\Users\Admin\AppData\Local\Temp\5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe
  "C:\Users\Admin\AppData\Local\Temp\5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:200
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3976
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:6816
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6972
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3760
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6900
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1564
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7012
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7092
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2020
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7036
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2380
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7112
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1916
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7144
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1772
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:196
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4032
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2100
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3096
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7020
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4072
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7124
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2884
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1180
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2876
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6940
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6944
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2324
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2184
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3668
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1008
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7056
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3584
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7100
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1532
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2788
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1884
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1460
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6968
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2852
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3416
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6904
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4416
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3828
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2624
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7116
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2716
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3628
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4492
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2288
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4508
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4524
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3496
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4556
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:512
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4572
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4588
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:204
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3192
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3804
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2648
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4636
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:500
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3288
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6896
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4684
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3884
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2296
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1576
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3376
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2624
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:420
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3888
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6896
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2220
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2296
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3568
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3624
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4748
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4844
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2276
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4760
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4872
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3468
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2296
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1796
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1988
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4936
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4856
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2412
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4972
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2200
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1832
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4808
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:740
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1252
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5048
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2308
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3156
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5080
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2328
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1480
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5112
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:900
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3920
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1408
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4152
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2664
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2204
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4036
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1736
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2296
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4108
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3348
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1408
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4200
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3036
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5052
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3520
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:940
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4472
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5140
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3576
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2988
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5172
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4120
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3900
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4220
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6948
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:1216
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:3620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
bd446939da29c3ec6450c05da7ad5db5

SHA1
3a80891a8262beb59976fcad4cb12f2e183619bc

SHA256
5d597c9d9079757dd3212b79e3092a77f100954526198a8df4fe72e47133f6c6

SHA512
23c1ccb734415590aaeb10d3886c92394fd4780c57a4991123b040ed15fffc9d5dc6effea7536671eb694641db135bdce29615f48ee6a73575da158539d1bf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
76ab120607979e923d74d7227b3a4c34

SHA1
05077fc9a2ac7ae0d926029d506e64b02616e694

SHA256
40d333e50b9bdc769070fa6fe89181eb06e79880846d57ba91bfd142015d7678

SHA512
ff206b6271b1a95d6ccfa160db9b20d743c28a53246b8c1cb3520eb276b93ec66717cd205204a52dcaeac72b56760a1e02b74191f0970fc9a3772686ae5bc8e2

Download Submit
C:\Windows\System\explorer.exe

MD5
76ab120607979e923d74d7227b3a4c34

SHA1
05077fc9a2ac7ae0d926029d506e64b02616e694

SHA256
40d333e50b9bdc769070fa6fe89181eb06e79880846d57ba91bfd142015d7678

SHA512
ff206b6271b1a95d6ccfa160db9b20d743c28a53246b8c1cb3520eb276b93ec66717cd205204a52dcaeac72b56760a1e02b74191f0970fc9a3772686ae5bc8e2

Download Submit
C:\Windows\System\explorer.exe

MD5
76ab120607979e923d74d7227b3a4c34

SHA1
05077fc9a2ac7ae0d926029d506e64b02616e694

SHA256
40d333e50b9bdc769070fa6fe89181eb06e79880846d57ba91bfd142015d7678

SHA512
ff206b6271b1a95d6ccfa160db9b20d743c28a53246b8c1cb3520eb276b93ec66717cd205204a52dcaeac72b56760a1e02b74191f0970fc9a3772686ae5bc8e2

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
C:\Windows\System\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
\??\c:\windows\system\explorer.exe

MD5
76ab120607979e923d74d7227b3a4c34

SHA1
05077fc9a2ac7ae0d926029d506e64b02616e694

SHA256
40d333e50b9bdc769070fa6fe89181eb06e79880846d57ba91bfd142015d7678

SHA512
ff206b6271b1a95d6ccfa160db9b20d743c28a53246b8c1cb3520eb276b93ec66717cd205204a52dcaeac72b56760a1e02b74191f0970fc9a3772686ae5bc8e2

Download Submit
\??\c:\windows\system\spoolsv.exe

MD5
f516a891bd8a426bbfa7170847b6a009

SHA1
e6d94dcbb42133177bc5d4dd35418baef8974ea8

SHA256
903b4cc03d60bd5aed3edd383c077a62a49093fa811a46f181d4b6a9eef52d2a

SHA512
8f7d741f69c5e9d5fd5af6195b60b5a23e914221608f8adf62ceb769814bd05f099d39f8f9852d418ba0deda509fc453d2c5ab91cc5b34744bcf3bb3b83d9464

Download Submit
memory/200-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/200-116-0x0000000000403670-mapping.dmp

Download
memory/200-123-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/204-214-0x0000000000000000-mapping.dmp

Download
memory/420-228-0x0000000000000000-mapping.dmp

Download
memory/420-236-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/512-213-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/512-209-0x0000000000000000-mapping.dmp

Download
memory/940-277-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/940-274-0x0000000000000000-mapping.dmp

Download
memory/1216-136-0x0000000000411000-mapping.dmp

Download
memory/1252-255-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1252-251-0x0000000000000000-mapping.dmp

Download
memory/1460-201-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1460-193-0x0000000000000000-mapping.dmp

Download
memory/1480-258-0x0000000000000000-mapping.dmp

Download
memory/1480-266-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1564-151-0x0000000000000000-mapping.dmp

Download
memory/1564-159-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1576-226-0x0000000000000000-mapping.dmp

Download
memory/1576-234-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/1736-268-0x0000000000000000-mapping.dmp

Download
memory/1736-276-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/1772-169-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1772-163-0x0000000000000000-mapping.dmp

Download
memory/1832-249-0x0000000000000000-mapping.dmp

Download
memory/1832-254-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1916-160-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1916-157-0x0000000000000000-mapping.dmp

Download
memory/1988-242-0x0000000000000000-mapping.dmp

Download
memory/1988-246-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2020-153-0x0000000000000000-mapping.dmp

Download
memory/2220-230-0x0000000000000000-mapping.dmp

Download
memory/2220-237-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2276-244-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2276-238-0x0000000000000000-mapping.dmp

Download
memory/2288-205-0x0000000000000000-mapping.dmp

Download
memory/2288-211-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2324-183-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2324-178-0x0000000000000000-mapping.dmp

Download
memory/2380-155-0x0000000000000000-mapping.dmp

Download
memory/2380-162-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2412-247-0x0000000000000000-mapping.dmp

Download
memory/2412-253-0x0000000000590000-0x000000000063E000-memory.dmp

Filesize
696KB

Download
memory/2648-216-0x0000000000000000-mapping.dmp

Download
memory/2648-224-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2664-262-0x0000000000000000-mapping.dmp

Download
memory/2664-265-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2716-199-0x0000000000000000-mapping.dmp

Download
memory/2716-202-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2788-188-0x0000000000000000-mapping.dmp

Download
memory/2788-192-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2876-176-0x0000000000000000-mapping.dmp

Download
memory/2876-182-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2884-174-0x0000000000000000-mapping.dmp

Download
memory/3036-279-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3036-272-0x0000000000000000-mapping.dmp

Download
memory/3096-171-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3096-167-0x0000000000000000-mapping.dmp

Download
memory/3156-256-0x0000000000000000-mapping.dmp

Download
memory/3156-264-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3288-225-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3288-218-0x0000000000000000-mapping.dmp

Download
memory/3348-270-0x0000000000000000-mapping.dmp

Download
memory/3416-195-0x0000000000000000-mapping.dmp

Download
memory/3416-203-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3468-245-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3468-240-0x0000000000000000-mapping.dmp

Download
memory/3496-207-0x0000000000000000-mapping.dmp

Download
memory/3496-212-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3576-288-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3576-280-0x0000000000000000-mapping.dmp

Download
memory/3584-186-0x0000000000000000-mapping.dmp

Download
memory/3620-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3620-118-0x0000000000411000-mapping.dmp

Download
memory/3620-124-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3624-232-0x0000000000000000-mapping.dmp

Download
memory/3624-235-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/3628-114-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3640-131-0x0000000000403670-mapping.dmp

Download
memory/3668-184-0x0000000000000000-mapping.dmp

Download
memory/3668-190-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3760-150-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/3760-147-0x0000000000000000-mapping.dmp

Download
memory/3828-204-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3828-197-0x0000000000000000-mapping.dmp

Download
memory/3884-223-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3884-220-0x0000000000000000-mapping.dmp

Download
memory/3920-260-0x0000000000000000-mapping.dmp

Download
memory/3920-267-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3972-126-0x0000000000000000-mapping.dmp

Download
memory/3972-129-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3976-144-0x0000000000000000-mapping.dmp

Download
memory/4032-165-0x0000000000000000-mapping.dmp

Download
memory/4032-170-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/4072-172-0x0000000000000000-mapping.dmp

Download
memory/4072-180-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4120-282-0x0000000000000000-mapping.dmp

Download
memory/4120-289-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/4144-284-0x0000000000000000-mapping.dmp

Download
memory/4144-290-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4168-286-0x0000000000000000-mapping.dmp

Download
memory/4208-298-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4208-292-0x0000000000000000-mapping.dmp

Download
memory/4232-299-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4232-294-0x0000000000000000-mapping.dmp

Download
memory/4256-296-0x0000000000000000-mapping.dmp

Download
memory/4292-301-0x0000000000000000-mapping.dmp

Download
memory/4292-307-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4316-303-0x0000000000000000-mapping.dmp

Download
memory/4316-309-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/4340-310-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4340-305-0x0000000000000000-mapping.dmp

Download
memory/4368-308-0x0000000000000000-mapping.dmp

Download
memory/4368-317-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4400-312-0x0000000000000000-mapping.dmp

Download
memory/4400-318-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4424-314-0x0000000000000000-mapping.dmp

Download
memory/4424-319-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4448-316-0x0000000000000000-mapping.dmp

Download