warzonerat | dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5

Analysis

max time kernel
151s
max time network
102s
platform
windows7_x64
resource
win7v20210410
submitted
16-05-2021 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
Size

3.2MB
MD5

b81e06b29c4e1058dd8755929a9a2d9e
SHA1

88fd34046f329f209023aa368f230e9b432e4291
SHA256

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5
SHA512

b74cd3db0cc851e1dde6c36a6de32f3102439c788f398b90699ce47f92e7722f9b177838d739801ec19e991e17ceddfa0ff6ddfbb0525233281e9d091a5a2e53

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
396	explorer.exe
772	explorer.exe
568	spoolsv.exe
1164	spoolsv.exe
1868	spoolsv.exe
804	spoolsv.exe
1596	spoolsv.exe
1780	spoolsv.exe
1064	spoolsv.exe
1160	spoolsv.exe
904	spoolsv.exe
952	spoolsv.exe
456	spoolsv.exe
240	spoolsv.exe
1972	spoolsv.exe
1916	spoolsv.exe
2024	spoolsv.exe
1704	spoolsv.exe
396	spoolsv.exe
1528	spoolsv.exe
768	spoolsv.exe
1296	spoolsv.exe
1912	spoolsv.exe
1368	spoolsv.exe
2020	spoolsv.exe
1044	spoolsv.exe
1716	spoolsv.exe
1384	spoolsv.exe
1648	spoolsv.exe
1700	spoolsv.exe
584	spoolsv.exe
1420	spoolsv.exe
956	spoolsv.exe
1860	spoolsv.exe
1760	spoolsv.exe
1836	spoolsv.exe
1856	spoolsv.exe
1840	spoolsv.exe
1584	spoolsv.exe
1880	spoolsv.exe
960	spoolsv.exe
972	spoolsv.exe
388	spoolsv.exe
1376	spoolsv.exe
540	spoolsv.exe
1984	spoolsv.exe
1992	spoolsv.exe
1280	spoolsv.exe
2036	spoolsv.exe
1636	spoolsv.exe
1516	spoolsv.exe
1580	spoolsv.exe
1612	spoolsv.exe
608	spoolsv.exe
1852	spoolsv.exe
1116	spoolsv.exe
1904	spoolsv.exe
548	spoolsv.exe
2012	spoolsv.exe
672	spoolsv.exe
1620	spoolsv.exe
1552	spoolsv.exe
912	spoolsv.exe
572	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exeexplorer.exe

pid	process
1612	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
1612	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 62 IoCs

Processes:

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1048 set thread context of 1612	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 1048 set thread context of 532	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	diskperf.exe
PID 396 set thread context of 772	396	explorer.exe	explorer.exe
PID 396 set thread context of 932	396	explorer.exe	diskperf.exe
PID 568 set thread context of 2948	568	spoolsv.exe	spoolsv.exe
PID 568 set thread context of 2956	568	spoolsv.exe	diskperf.exe
PID 1164 set thread context of 2996	1164	spoolsv.exe	spoolsv.exe
PID 1164 set thread context of 3004	1164	spoolsv.exe	diskperf.exe
PID 1868 set thread context of 3036	1868	spoolsv.exe	spoolsv.exe
PID 1868 set thread context of 3044	1868	spoolsv.exe	diskperf.exe
PID 804 set thread context of 1396	804	spoolsv.exe	spoolsv.exe
PID 804 set thread context of 1444	804	spoolsv.exe	diskperf.exe
PID 1596 set thread context of 2976	1596	spoolsv.exe	spoolsv.exe
PID 1596 set thread context of 2952	1596	spoolsv.exe	diskperf.exe
PID 1780 set thread context of 3060	1780	spoolsv.exe	spoolsv.exe
PID 1780 set thread context of 3052	1780	spoolsv.exe	diskperf.exe
PID 1064 set thread context of 1312	1064	spoolsv.exe	spoolsv.exe
PID 1064 set thread context of 3028	1064	spoolsv.exe	diskperf.exe
PID 1160 set thread context of 276	1160	spoolsv.exe	spoolsv.exe
PID 1160 set thread context of 3060	1160	spoolsv.exe	diskperf.exe
PID 904 set thread context of 1652	904	spoolsv.exe	spoolsv.exe
PID 904 set thread context of 3040	904	spoolsv.exe	diskperf.exe
PID 952 set thread context of 3092	952	spoolsv.exe	spoolsv.exe
PID 952 set thread context of 3100	952	spoolsv.exe	diskperf.exe
PID 456 set thread context of 3128	456	spoolsv.exe	spoolsv.exe
PID 456 set thread context of 3136	456	spoolsv.exe	diskperf.exe
PID 240 set thread context of 3164	240	spoolsv.exe	spoolsv.exe
PID 240 set thread context of 3172	240	spoolsv.exe	diskperf.exe
PID 1972 set thread context of 3200	1972	spoolsv.exe	spoolsv.exe
PID 1972 set thread context of 3208	1972	spoolsv.exe	diskperf.exe
PID 1916 set thread context of 3228	1916	spoolsv.exe	spoolsv.exe
PID 1916 set thread context of 3236	1916	spoolsv.exe	diskperf.exe
PID 2024 set thread context of 3256	2024	spoolsv.exe	spoolsv.exe
PID 2024 set thread context of 3276	2024	spoolsv.exe	diskperf.exe
PID 1704 set thread context of 3288	1704	spoolsv.exe	spoolsv.exe
PID 1704 set thread context of 3296	1704	spoolsv.exe	diskperf.exe
PID 396 set thread context of 3324	396	spoolsv.exe	spoolsv.exe
PID 396 set thread context of 3332	396	spoolsv.exe	diskperf.exe
PID 1528 set thread context of 3360	1528	spoolsv.exe	spoolsv.exe
PID 1528 set thread context of 3380	1528	spoolsv.exe	diskperf.exe
PID 768 set thread context of 3388	768	spoolsv.exe	spoolsv.exe
PID 768 set thread context of 3396	768	spoolsv.exe	diskperf.exe
PID 1296 set thread context of 3420	1296	spoolsv.exe	spoolsv.exe
PID 1296 set thread context of 3428	1296	spoolsv.exe	diskperf.exe
PID 1368 set thread context of 3448	1368	spoolsv.exe	spoolsv.exe
PID 1368 set thread context of 3472	1368	spoolsv.exe	diskperf.exe
PID 1044 set thread context of 3492	1044	spoolsv.exe	spoolsv.exe
PID 1912 set thread context of 3456	1912	spoolsv.exe	spoolsv.exe
PID 2020 set thread context of 3464	2020	spoolsv.exe	spoolsv.exe
PID 1044 set thread context of 3500	1044	spoolsv.exe	diskperf.exe
PID 1912 set thread context of 3512	1912	spoolsv.exe	diskperf.exe
PID 2020 set thread context of 3520	2020	spoolsv.exe	diskperf.exe
PID 1716 set thread context of 3528	1716	spoolsv.exe	spoolsv.exe
PID 1716 set thread context of 3536	1716	spoolsv.exe	diskperf.exe
PID 1384 set thread context of 3544	1384	spoolsv.exe	spoolsv.exe
PID 1384 set thread context of 3564	1384	spoolsv.exe	diskperf.exe
PID 1648 set thread context of 3572	1648	spoolsv.exe	spoolsv.exe
PID 1648 set thread context of 3580	1648	spoolsv.exe	diskperf.exe
PID 1700 set thread context of 3600	1700	spoolsv.exe	spoolsv.exe
PID 1700 set thread context of 3608	1700	spoolsv.exe	diskperf.exe
PID 1420 set thread context of 3620	1420	spoolsv.exe	spoolsv.exe
PID 1420 set thread context of 3628	1420	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exeexplorer.exe

pid	process
1612	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

772 explorer.exe

pid	process
772	explorer.exe

Suspicious use of SetWindowsHookEx 63 IoCs

Processes:

pid	process
1612	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
1612	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
772	explorer.exe
2948	spoolsv.exe
2948	spoolsv.exe
2996	spoolsv.exe
2996	spoolsv.exe
3036	spoolsv.exe
3036	spoolsv.exe
1396	spoolsv.exe
1396	spoolsv.exe
2976	spoolsv.exe
2976	spoolsv.exe
3060	spoolsv.exe
3060	spoolsv.exe
1312	spoolsv.exe
1312	spoolsv.exe
276	spoolsv.exe
276	spoolsv.exe
1652	spoolsv.exe
1652	spoolsv.exe
3092	spoolsv.exe
3092	spoolsv.exe
3128	spoolsv.exe
3128	spoolsv.exe
3164	spoolsv.exe
3164	spoolsv.exe
3200	spoolsv.exe
3200	spoolsv.exe
3228	spoolsv.exe
3228	spoolsv.exe
3256	spoolsv.exe
3256	spoolsv.exe
3288	spoolsv.exe
3288	spoolsv.exe
3324	spoolsv.exe
3324	spoolsv.exe
3360	spoolsv.exe
3360	spoolsv.exe
3388	spoolsv.exe
3388	spoolsv.exe
3420	spoolsv.exe
3420	spoolsv.exe
3448	spoolsv.exe
3448	spoolsv.exe
3492	spoolsv.exe
3492	spoolsv.exe
3456	spoolsv.exe
3464	spoolsv.exe
3456	spoolsv.exe
3464	spoolsv.exe
3528	spoolsv.exe
3528	spoolsv.exe
3544	spoolsv.exe
3544	spoolsv.exe
3572	spoolsv.exe
3572	spoolsv.exe
3600	spoolsv.exe
3600	spoolsv.exe
3620	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exedba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1048 wrote to memory of 1612	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 1048 wrote to memory of 1612	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 1048 wrote to memory of 1612	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 1048 wrote to memory of 1612	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 1048 wrote to memory of 1612	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 1048 wrote to memory of 1612	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 1048 wrote to memory of 1612	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 1048 wrote to memory of 1612	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 1048 wrote to memory of 1612	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 1048 wrote to memory of 532	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	diskperf.exe
PID 1048 wrote to memory of 532	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	diskperf.exe
PID 1048 wrote to memory of 532	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	diskperf.exe
PID 1048 wrote to memory of 532	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	diskperf.exe
PID 1048 wrote to memory of 532	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	diskperf.exe
PID 1048 wrote to memory of 532	1048	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	diskperf.exe
PID 1612 wrote to memory of 396	1612	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	explorer.exe
PID 1612 wrote to memory of 396	1612	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	explorer.exe
PID 1612 wrote to memory of 396	1612	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	explorer.exe
PID 1612 wrote to memory of 396	1612	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	explorer.exe
PID 396 wrote to memory of 772	396	explorer.exe	explorer.exe
PID 396 wrote to memory of 772	396	explorer.exe	explorer.exe
PID 396 wrote to memory of 772	396	explorer.exe	explorer.exe
PID 396 wrote to memory of 772	396	explorer.exe	explorer.exe
PID 396 wrote to memory of 772	396	explorer.exe	explorer.exe
PID 396 wrote to memory of 772	396	explorer.exe	explorer.exe
PID 396 wrote to memory of 772	396	explorer.exe	explorer.exe
PID 396 wrote to memory of 772	396	explorer.exe	explorer.exe
PID 396 wrote to memory of 772	396	explorer.exe	explorer.exe
PID 396 wrote to memory of 932	396	explorer.exe	diskperf.exe
PID 396 wrote to memory of 932	396	explorer.exe	diskperf.exe
PID 396 wrote to memory of 932	396	explorer.exe	diskperf.exe
PID 396 wrote to memory of 932	396	explorer.exe	diskperf.exe
PID 396 wrote to memory of 932	396	explorer.exe	diskperf.exe
PID 396 wrote to memory of 932	396	explorer.exe	diskperf.exe
PID 772 wrote to memory of 568	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 568	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 568	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 568	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1164	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1164	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1164	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1164	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1868	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1868	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1868	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1868	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 804	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 804	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 804	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 804	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1596	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1596	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1596	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1596	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1780	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1780	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1780	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1780	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1064	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1064	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1064	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1064	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1160	772	explorer.exe	spoolsv.exe
PID 772 wrote to memory of 1160	772	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
"C:\Users\Admin\AppData\Local\Temp\dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
  "C:\Users\Admin\AppData\Local\Temp\dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1612
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:396
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:568
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2948
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2988
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1164
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2996
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3016
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1868
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3064
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:804
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1396
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1520
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1596
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3000
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1780
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1272
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1064
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1312
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:896
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1160
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:276
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1316
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:904
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1652
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3076
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:952
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3092
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3112
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:456
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3128
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3156
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:240
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3164
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3184
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1972
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3200
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3220
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1916
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3228
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3248
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2024
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3256
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3268
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1704
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3288
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3316
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:396
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3324
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3344
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1528
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3360
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3372
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:768
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3388
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3408
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1296
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3420
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3440
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1912
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3456
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1368
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3448
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3484
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2020
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3464
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1044
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3492
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1716
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3528
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1384
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3544
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3556
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1648
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3572
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3592
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1700
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3600
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:584
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3636
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1420
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3620
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3656
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:956
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3644
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1860
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3680
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1760
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3704
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1836
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3696
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1856
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3728
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1840
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3736
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1584
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3768
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1880
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3776
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3796
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:960
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3804
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:972
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3820
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:388
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3840
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3860
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2980
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:932
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
b81e06b29c4e1058dd8755929a9a2d9e

SHA1
88fd34046f329f209023aa368f230e9b432e4291

SHA256
dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5

SHA512
b74cd3db0cc851e1dde6c36a6de32f3102439c788f398b90699ce47f92e7722f9b177838d739801ec19e991e17ceddfa0ff6ddfbb0525233281e9d091a5a2e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
78a7478638b1b378f005b4ee99cc14f0

SHA1
092c27903e84841b3e0346c0fa5de3b2fd409eb3

SHA256
54dbb97668121c4c29ca30828e33196f9fde53270e579098f888ab81a40c3245

SHA512
b579a288ff396065929a5056e0c4ce168de51a2c573b34defcf30153953522ddaa89c4448b99a2347bbe5b747b6921ae41885271626439e18da20d434aac57a0

Download Submit
C:\Windows\system\explorer.exe

MD5
78a7478638b1b378f005b4ee99cc14f0

SHA1
092c27903e84841b3e0346c0fa5de3b2fd409eb3

SHA256
54dbb97668121c4c29ca30828e33196f9fde53270e579098f888ab81a40c3245

SHA512
b579a288ff396065929a5056e0c4ce168de51a2c573b34defcf30153953522ddaa89c4448b99a2347bbe5b747b6921ae41885271626439e18da20d434aac57a0

Download Submit
C:\Windows\system\explorer.exe

MD5
78a7478638b1b378f005b4ee99cc14f0

SHA1
092c27903e84841b3e0346c0fa5de3b2fd409eb3

SHA256
54dbb97668121c4c29ca30828e33196f9fde53270e579098f888ab81a40c3245

SHA512
b579a288ff396065929a5056e0c4ce168de51a2c573b34defcf30153953522ddaa89c4448b99a2347bbe5b747b6921ae41885271626439e18da20d434aac57a0

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
C:\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\??\c:\windows\system\explorer.exe

MD5
78a7478638b1b378f005b4ee99cc14f0

SHA1
092c27903e84841b3e0346c0fa5de3b2fd409eb3

SHA256
54dbb97668121c4c29ca30828e33196f9fde53270e579098f888ab81a40c3245

SHA512
b579a288ff396065929a5056e0c4ce168de51a2c573b34defcf30153953522ddaa89c4448b99a2347bbe5b747b6921ae41885271626439e18da20d434aac57a0

Download Submit
\Windows\system\explorer.exe

MD5
78a7478638b1b378f005b4ee99cc14f0

SHA1
092c27903e84841b3e0346c0fa5de3b2fd409eb3

SHA256
54dbb97668121c4c29ca30828e33196f9fde53270e579098f888ab81a40c3245

SHA512
b579a288ff396065929a5056e0c4ce168de51a2c573b34defcf30153953522ddaa89c4448b99a2347bbe5b747b6921ae41885271626439e18da20d434aac57a0

Download Submit
\Windows\system\explorer.exe

MD5
78a7478638b1b378f005b4ee99cc14f0

SHA1
092c27903e84841b3e0346c0fa5de3b2fd409eb3

SHA256
54dbb97668121c4c29ca30828e33196f9fde53270e579098f888ab81a40c3245

SHA512
b579a288ff396065929a5056e0c4ce168de51a2c573b34defcf30153953522ddaa89c4448b99a2347bbe5b747b6921ae41885271626439e18da20d434aac57a0

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
\Windows\system\spoolsv.exe

MD5
5765ccf2e54cb84e565348995e92af46

SHA1
210b9211faf38cb369928ee9049067e8300f577c

SHA256
c81af05f8835c8334310e8b863fb27eae03052308269b2e4ac8d1738fe422c22

SHA512
caf751a32277fd89dce176c7b65d5d76d9b7c47f0b6c0131f14dd2796a26bfa9b3af3da8c3acd3b19d5f5731da7c8b32e5529176460c3b22a258e4bd7afe44ab

Download Submit
memory/240-164-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/240-161-0x0000000000000000-mapping.dmp

Download
memory/388-270-0x0000000000000000-mapping.dmp

Download
memory/388-284-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/396-203-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/396-72-0x0000000000000000-mapping.dmp

Download
memory/396-77-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/396-190-0x0000000000000000-mapping.dmp

Download
memory/456-158-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/456-154-0x0000000000000000-mapping.dmp

Download
memory/532-66-0x0000000000411000-mapping.dmp

Download
memory/532-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/532-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/540-274-0x0000000000000000-mapping.dmp

Download
memory/548-312-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/548-306-0x0000000000000000-mapping.dmp

Download
memory/568-95-0x0000000000000000-mapping.dmp

Download
memory/568-98-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/584-244-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/584-233-0x0000000000000000-mapping.dmp

Download
memory/608-296-0x0000000000000000-mapping.dmp

Download
memory/672-308-0x0000000000000000-mapping.dmp

Download
memory/768-208-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/768-201-0x0000000000000000-mapping.dmp

Download
memory/772-80-0x0000000000403670-mapping.dmp

Download
memory/804-112-0x0000000000000000-mapping.dmp

Download
memory/804-119-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/904-149-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/904-142-0x0000000000000000-mapping.dmp

Download
memory/932-85-0x0000000000411000-mapping.dmp

Download
memory/952-148-0x0000000000000000-mapping.dmp

Download
memory/952-157-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/956-237-0x0000000000000000-mapping.dmp

Download
memory/956-246-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/960-268-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/960-259-0x0000000000000000-mapping.dmp

Download
memory/972-261-0x0000000000000000-mapping.dmp

Download
memory/972-269-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1044-216-0x0000000000000000-mapping.dmp

Download
memory/1044-227-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1048-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1048-59-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1064-130-0x0000000000000000-mapping.dmp

Download
memory/1064-137-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1116-310-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1116-304-0x0000000000000000-mapping.dmp

Download
memory/1160-136-0x0000000000000000-mapping.dmp

Download
memory/1164-106-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1164-101-0x0000000000000000-mapping.dmp

Download
memory/1280-280-0x0000000000000000-mapping.dmp

Download
memory/1296-209-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1296-206-0x0000000000000000-mapping.dmp

Download
memory/1368-212-0x0000000000000000-mapping.dmp

Download
memory/1368-225-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1376-272-0x0000000000000000-mapping.dmp

Download
memory/1376-286-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1384-220-0x0000000000000000-mapping.dmp

Download
memory/1384-229-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1420-235-0x0000000000000000-mapping.dmp

Download
memory/1420-245-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1516-293-0x0000000000000000-mapping.dmp

Download
memory/1528-205-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1528-196-0x0000000000000000-mapping.dmp

Download
memory/1580-294-0x0000000000000000-mapping.dmp

Download
memory/1584-255-0x0000000000000000-mapping.dmp

Download
memory/1596-118-0x0000000000000000-mapping.dmp

Download
memory/1596-126-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1612-62-0x0000000000403670-mapping.dmp

Download
memory/1612-295-0x0000000000000000-mapping.dmp

Download
memory/1612-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1612-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1620-309-0x0000000000000000-mapping.dmp

Download
memory/1636-298-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1636-291-0x0000000000000000-mapping.dmp

Download
memory/1648-230-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1648-222-0x0000000000000000-mapping.dmp

Download
memory/1700-231-0x0000000000000000-mapping.dmp

Download
memory/1704-192-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1704-185-0x0000000000000000-mapping.dmp

Download
memory/1716-218-0x0000000000000000-mapping.dmp

Download
memory/1760-248-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1760-241-0x0000000000000000-mapping.dmp

Download
memory/1780-134-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1780-124-0x0000000000000000-mapping.dmp

Download
memory/1836-249-0x0000000000000000-mapping.dmp

Download
memory/1840-253-0x0000000000000000-mapping.dmp

Download
memory/1840-265-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1852-297-0x0000000000000000-mapping.dmp

Download
memory/1856-264-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1856-251-0x0000000000000000-mapping.dmp

Download
memory/1860-239-0x0000000000000000-mapping.dmp

Download
memory/1868-115-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1868-107-0x0000000000000000-mapping.dmp

Download
memory/1880-267-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1880-257-0x0000000000000000-mapping.dmp

Download
memory/1904-305-0x0000000000000000-mapping.dmp

Download
memory/1912-210-0x0000000000000000-mapping.dmp

Download
memory/1916-172-0x0000000000000000-mapping.dmp

Download
memory/1972-167-0x0000000000000000-mapping.dmp

Download
memory/1972-176-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1984-288-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1984-276-0x0000000000000000-mapping.dmp

Download
memory/1992-278-0x0000000000000000-mapping.dmp

Download
memory/2012-307-0x0000000000000000-mapping.dmp

Download
memory/2012-313-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2020-226-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2020-214-0x0000000000000000-mapping.dmp

Download
memory/2024-178-0x0000000000000000-mapping.dmp

Download
memory/2024-182-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2036-285-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2036-282-0x0000000000000000-mapping.dmp

Download