warzonerat | dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5

Analysis

max time kernel
151s
max time network
71s
platform
windows10_x64
resource
win10v20210408
submitted
16-05-2021 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
Size

3.2MB
MD5

b81e06b29c4e1058dd8755929a9a2d9e
SHA1

88fd34046f329f209023aa368f230e9b432e4291
SHA256

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5
SHA512

b74cd3db0cc851e1dde6c36a6de32f3102439c788f398b90699ce47f92e7722f9b177838d739801ec19e991e17ceddfa0ff6ddfbb0525233281e9d091a5a2e53

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2016	explorer.exe
4008	explorer.exe
2284	spoolsv.exe
2076	spoolsv.exe
2128	spoolsv.exe
3672	spoolsv.exe
1000	spoolsv.exe
4092	spoolsv.exe
972	spoolsv.exe
3504	spoolsv.exe
344	spoolsv.exe
3304	spoolsv.exe
1104	spoolsv.exe
904	spoolsv.exe
2884	spoolsv.exe
416	spoolsv.exe
3444	spoolsv.exe
1272	spoolsv.exe
4028	spoolsv.exe
204	spoolsv.exe
812	spoolsv.exe
2276	spoolsv.exe
2512	spoolsv.exe
1212	spoolsv.exe
1980	spoolsv.exe
192	spoolsv.exe
1972	spoolsv.exe
3632	spoolsv.exe
2248	spoolsv.exe
2052	spoolsv.exe
2308	spoolsv.exe
3644	spoolsv.exe
3500	spoolsv.exe
3352	spoolsv.exe
1632	spoolsv.exe
2728	spoolsv.exe
1848	spoolsv.exe
2232	spoolsv.exe
3676	spoolsv.exe
780	spoolsv.exe
3716	spoolsv.exe
2876	spoolsv.exe
1296	spoolsv.exe
208	spoolsv.exe
1284	spoolsv.exe
508	spoolsv.exe
4016	spoolsv.exe
3928	spoolsv.exe
4120	spoolsv.exe
4144	spoolsv.exe
4168	spoolsv.exe
4204	spoolsv.exe
4228	spoolsv.exe
4252	spoolsv.exe
4288	spoolsv.exe
4312	spoolsv.exe
4344	spoolsv.exe
4368	spoolsv.exe
4400	spoolsv.exe
4424	spoolsv.exe
4448	spoolsv.exe
4468	spoolsv.exe
4500	spoolsv.exe
4516	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exedba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 59 IoCs

Processes:

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 808 set thread context of 2624	808	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 2016 set thread context of 4008	2016	explorer.exe	explorer.exe
PID 2016 set thread context of 1464	2016	explorer.exe	diskperf.exe
PID 2284 set thread context of 6368	2284	spoolsv.exe	spoolsv.exe
PID 2284 set thread context of 6396	2284	spoolsv.exe	diskperf.exe
PID 2076 set thread context of 6468	2076	spoolsv.exe	spoolsv.exe
PID 2076 set thread context of 6496	2076	spoolsv.exe	diskperf.exe
PID 2128 set thread context of 6536	2128	spoolsv.exe	spoolsv.exe
PID 2128 set thread context of 6552	2128	spoolsv.exe	diskperf.exe
PID 3672 set thread context of 6576	3672	spoolsv.exe	spoolsv.exe
PID 3672 set thread context of 6604	3672	spoolsv.exe	diskperf.exe
PID 1000 set thread context of 6680	1000	spoolsv.exe	spoolsv.exe
PID 4092 set thread context of 6744	4092	spoolsv.exe	spoolsv.exe
PID 972 set thread context of 6784	972	spoolsv.exe	spoolsv.exe
PID 3504 set thread context of 6848	3504	spoolsv.exe	spoolsv.exe
PID 3504 set thread context of 6864	3504	spoolsv.exe	diskperf.exe
PID 344 set thread context of 6932	344	spoolsv.exe	spoolsv.exe
PID 3304 set thread context of 6996	3304	spoolsv.exe	spoolsv.exe
PID 3304 set thread context of 7012	3304	spoolsv.exe	diskperf.exe
PID 1104 set thread context of 7060	1104	spoolsv.exe	spoolsv.exe
PID 1104 set thread context of 7072	1104	spoolsv.exe	diskperf.exe
PID 904 set thread context of 7116	904	spoolsv.exe	spoolsv.exe
PID 2884 set thread context of 7164	2884	spoolsv.exe	spoolsv.exe
PID 416 set thread context of 6476	416	spoolsv.exe	spoolsv.exe
PID 416 set thread context of 6492	416	spoolsv.exe	diskperf.exe
PID 3444 set thread context of 6516	3444	spoolsv.exe	spoolsv.exe
PID 3444 set thread context of 6504	3444	spoolsv.exe	diskperf.exe
PID 1272 set thread context of 6592	1272	spoolsv.exe	spoolsv.exe
PID 1272 set thread context of 6612	1272	spoolsv.exe	diskperf.exe
PID 4028 set thread context of 6564	4028	spoolsv.exe	spoolsv.exe
PID 4028 set thread context of 6616	4028	spoolsv.exe	diskperf.exe
PID 204 set thread context of 6720	204	spoolsv.exe	spoolsv.exe
PID 204 set thread context of 6692	204	spoolsv.exe	diskperf.exe
PID 812 set thread context of 6756	812	spoolsv.exe	spoolsv.exe
PID 812 set thread context of 6800	812	spoolsv.exe	diskperf.exe
PID 2276 set thread context of 1544	2276	spoolsv.exe	spoolsv.exe
PID 2276 set thread context of 2524	2276	spoolsv.exe	diskperf.exe
PID 2512 set thread context of 6872	2512	spoolsv.exe	spoolsv.exe
PID 2512 set thread context of 1828	2512	spoolsv.exe	diskperf.exe
PID 1212 set thread context of 6960	1212	spoolsv.exe	spoolsv.exe
PID 1212 set thread context of 7004	1212	spoolsv.exe	diskperf.exe
PID 1980 set thread context of 1012	1980	spoolsv.exe	spoolsv.exe
PID 1980 set thread context of 7088	1980	spoolsv.exe	diskperf.exe
PID 192 set thread context of 7148	192	spoolsv.exe	spoolsv.exe
PID 1972 set thread context of 6416	1972	spoolsv.exe	spoolsv.exe
PID 1972 set thread context of 6372	1972	spoolsv.exe	diskperf.exe
PID 3632 set thread context of 1320	3632	spoolsv.exe	spoolsv.exe
PID 3632 set thread context of 6568	3632	spoolsv.exe	diskperf.exe
PID 2248 set thread context of 6592	2248	spoolsv.exe	spoolsv.exe
PID 2248 set thread context of 1148	2248	spoolsv.exe	diskperf.exe
PID 2052 set thread context of 6748	2052	spoolsv.exe	spoolsv.exe
PID 2308 set thread context of 6804	2308	spoolsv.exe	spoolsv.exe
PID 2308 set thread context of 2624	2308	spoolsv.exe	diskperf.exe
PID 3644 set thread context of 6860	3644	spoolsv.exe	spoolsv.exe
PID 3644 set thread context of 6956	3644	spoolsv.exe	diskperf.exe
PID 3500 set thread context of 6960	3500	spoolsv.exe	spoolsv.exe
PID 3500 set thread context of 2760	3500	spoolsv.exe	diskperf.exe
PID 3352 set thread context of 1780	3352	spoolsv.exe	spoolsv.exe
PID 1632 set thread context of 6384	1632	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exedba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exeexplorer.exe

pid	process
2624	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
2624	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

4008 explorer.exe

pid	process
4008	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2624	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
2624	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
4008	explorer.exe
6368	spoolsv.exe
6368	spoolsv.exe
6468	spoolsv.exe
6468	spoolsv.exe
6536	spoolsv.exe
6536	spoolsv.exe
6576	spoolsv.exe
6576	spoolsv.exe
6680	spoolsv.exe
6680	spoolsv.exe
6744	spoolsv.exe
6744	spoolsv.exe
6784	spoolsv.exe
6784	spoolsv.exe
6848	spoolsv.exe
6848	spoolsv.exe
6932	spoolsv.exe
6932	spoolsv.exe
6996	spoolsv.exe
6996	spoolsv.exe
7060	spoolsv.exe
7060	spoolsv.exe
7116	spoolsv.exe
7116	spoolsv.exe
7164	spoolsv.exe
7164	spoolsv.exe
6476	spoolsv.exe
6476	spoolsv.exe
6516	spoolsv.exe
6516	spoolsv.exe
6592	spoolsv.exe
6592	spoolsv.exe
6564	spoolsv.exe
6564	spoolsv.exe
6720	spoolsv.exe
6720	spoolsv.exe
6756	spoolsv.exe
6756	spoolsv.exe
1544	spoolsv.exe
1544	spoolsv.exe
6872	spoolsv.exe
6872	spoolsv.exe
6960	spoolsv.exe
6960	spoolsv.exe
1012	spoolsv.exe
1012	spoolsv.exe
7148	spoolsv.exe
7148	spoolsv.exe
6416	spoolsv.exe
6416	spoolsv.exe
1320	spoolsv.exe
1320	spoolsv.exe
6592	spoolsv.exe
6592	spoolsv.exe
6748	spoolsv.exe
6748	spoolsv.exe
6804	spoolsv.exe
6804	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exedba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 808 wrote to memory of 2624	808	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 808 wrote to memory of 2624	808	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 808 wrote to memory of 2624	808	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 808 wrote to memory of 2624	808	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 808 wrote to memory of 2624	808	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 808 wrote to memory of 2624	808	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 808 wrote to memory of 2624	808	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 808 wrote to memory of 2624	808	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
PID 808 wrote to memory of 184	808	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	diskperf.exe
PID 808 wrote to memory of 184	808	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	diskperf.exe
PID 808 wrote to memory of 184	808	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	diskperf.exe
PID 2624 wrote to memory of 2016	2624	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	explorer.exe
PID 2624 wrote to memory of 2016	2624	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	explorer.exe
PID 2624 wrote to memory of 2016	2624	dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe	explorer.exe
PID 2016 wrote to memory of 4008	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 4008	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 4008	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 4008	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 4008	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 4008	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 4008	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 4008	2016	explorer.exe	explorer.exe
PID 2016 wrote to memory of 1464	2016	explorer.exe	diskperf.exe
PID 2016 wrote to memory of 1464	2016	explorer.exe	diskperf.exe
PID 2016 wrote to memory of 1464	2016	explorer.exe	diskperf.exe
PID 2016 wrote to memory of 1464	2016	explorer.exe	diskperf.exe
PID 2016 wrote to memory of 1464	2016	explorer.exe	diskperf.exe
PID 4008 wrote to memory of 2284	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 2284	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 2284	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 2076	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 2076	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 2076	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 2128	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 2128	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 2128	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 3672	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 3672	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 3672	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 1000	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 1000	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 1000	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 4092	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 4092	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 4092	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 972	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 972	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 972	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 3504	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 3504	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 3504	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 344	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 344	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 344	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 3304	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 3304	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 3304	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 1104	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 1104	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 1104	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 904	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 904	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 904	4008	explorer.exe	spoolsv.exe
PID 4008 wrote to memory of 2884	4008	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
"C:\Users\Admin\AppData\Local\Temp\dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe
  "C:\Users\Admin\AppData\Local\Temp\dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2624
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2284
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:6368
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6460
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2076
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6468
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2128
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6536
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6640
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3672
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6576
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1000
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6680
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6724
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4092
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6744
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:972
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6784
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6828
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3504
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6848
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6912
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:344
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6932
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6976
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3304
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6996
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7040
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1104
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7060
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7092
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:904
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7116
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7140
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2884
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7164
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6420
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:416
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6476
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2168
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3444
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6516
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6572
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1272
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6592
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6668
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4028
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6564
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6696
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:204
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6720
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6776
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:812
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6756
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6788
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2276
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1544
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3888
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2512
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6872
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6948
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1212
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6960
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7000
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1980
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1012
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7128
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:192
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7148
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6408
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1972
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6416
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3412
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3632
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6660
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2248
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6592
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6548
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2052
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6748
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1292
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2308
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6804
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6880
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3644
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6860
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6944
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3500
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6960
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7104
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3352
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1780
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1504
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1632
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6384
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2272
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6424
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:1464
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
b81e06b29c4e1058dd8755929a9a2d9e

SHA1
88fd34046f329f209023aa368f230e9b432e4291

SHA256
dba7c1179e386b32ab9a0af8d9d6a58d90757a5ab0d4dab81a65c52043ae58d5

SHA512
b74cd3db0cc851e1dde6c36a6de32f3102439c788f398b90699ce47f92e7722f9b177838d739801ec19e991e17ceddfa0ff6ddfbb0525233281e9d091a5a2e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
7b19c9d320647f02ed60c21445357d79

SHA1
a161a4baf47eb33ecc381d8f46d8e689c4dffc3e

SHA256
ceb1696a1d679c2af5a4fc93c3eae5aece9c518f7ad41661ec3527072ebe1bb2

SHA512
e4fd4b684b9b8bdb2936556ac68a4b8d20ae925f17f0ed4bf13de3cf3ed56001445da184fdcb2d1d5f56e23dc3f97c61ce30164c52d1ea91d18bbb1060192202

Download Submit
C:\Windows\System\explorer.exe

MD5
7b19c9d320647f02ed60c21445357d79

SHA1
a161a4baf47eb33ecc381d8f46d8e689c4dffc3e

SHA256
ceb1696a1d679c2af5a4fc93c3eae5aece9c518f7ad41661ec3527072ebe1bb2

SHA512
e4fd4b684b9b8bdb2936556ac68a4b8d20ae925f17f0ed4bf13de3cf3ed56001445da184fdcb2d1d5f56e23dc3f97c61ce30164c52d1ea91d18bbb1060192202

Download Submit
C:\Windows\System\explorer.exe

MD5
7b19c9d320647f02ed60c21445357d79

SHA1
a161a4baf47eb33ecc381d8f46d8e689c4dffc3e

SHA256
ceb1696a1d679c2af5a4fc93c3eae5aece9c518f7ad41661ec3527072ebe1bb2

SHA512
e4fd4b684b9b8bdb2936556ac68a4b8d20ae925f17f0ed4bf13de3cf3ed56001445da184fdcb2d1d5f56e23dc3f97c61ce30164c52d1ea91d18bbb1060192202

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
C:\Windows\System\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
\??\c:\windows\system\explorer.exe

MD5
7b19c9d320647f02ed60c21445357d79

SHA1
a161a4baf47eb33ecc381d8f46d8e689c4dffc3e

SHA256
ceb1696a1d679c2af5a4fc93c3eae5aece9c518f7ad41661ec3527072ebe1bb2

SHA512
e4fd4b684b9b8bdb2936556ac68a4b8d20ae925f17f0ed4bf13de3cf3ed56001445da184fdcb2d1d5f56e23dc3f97c61ce30164c52d1ea91d18bbb1060192202

Download Submit
\??\c:\windows\system\spoolsv.exe

MD5
47a1779d7297758ddbe9c3b47e2a9a86

SHA1
a0ccd7f7e441f3eb87de6c1e56f499d94cd558d9

SHA256
2344c9120458275ba2017dfa94f635faa037612b230ae09bc236e6cde2ba3c02

SHA512
fbc54413993d7cf418fa6484c7f708f66a1e423eef292eb8248f4291566ee4ff964b593adbc55bea6345f3f35127f2655b88ddf45db4a1d4bd6aee0d13c63187

Download Submit
memory/192-209-0x0000000000000000-mapping.dmp

Download
memory/192-215-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/204-189-0x0000000000000000-mapping.dmp

Download
memory/204-192-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/208-261-0x0000000000000000-mapping.dmp

Download
memory/208-265-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/344-162-0x0000000000000000-mapping.dmp

Download
memory/344-166-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/416-183-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/416-178-0x0000000000000000-mapping.dmp

Download
memory/508-271-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/508-268-0x0000000000000000-mapping.dmp

Download
memory/780-250-0x0000000000000000-mapping.dmp

Download
memory/780-256-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/808-114-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/812-198-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/812-194-0x0000000000000000-mapping.dmp

Download
memory/904-171-0x0000000000000000-mapping.dmp

Download
memory/904-175-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/972-157-0x0000000000000000-mapping.dmp

Download
memory/972-164-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1000-152-0x0000000000000000-mapping.dmp

Download
memory/1000-156-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1104-169-0x0000000000000000-mapping.dmp

Download
memory/1104-174-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1212-202-0x0000000000000000-mapping.dmp

Download
memory/1212-208-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1272-191-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-185-0x0000000000000000-mapping.dmp

Download
memory/1284-266-0x0000000000000000-mapping.dmp

Download
memory/1284-270-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1296-264-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1296-259-0x0000000000000000-mapping.dmp

Download
memory/1464-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1464-131-0x0000000000411000-mapping.dmp

Download
memory/1464-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1632-238-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/1632-235-0x0000000000000000-mapping.dmp

Download
memory/1848-247-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1848-241-0x0000000000000000-mapping.dmp

Download
memory/1972-211-0x0000000000000000-mapping.dmp

Download
memory/1972-217-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1980-207-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1980-204-0x0000000000000000-mapping.dmp

Download
memory/2016-121-0x0000000000000000-mapping.dmp

Download
memory/2016-124-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2052-220-0x0000000000000000-mapping.dmp

Download
memory/2076-150-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2076-142-0x0000000000000000-mapping.dmp

Download
memory/2128-151-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2128-144-0x0000000000000000-mapping.dmp

Download
memory/2232-243-0x0000000000000000-mapping.dmp

Download
memory/2232-246-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2248-222-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2248-218-0x0000000000000000-mapping.dmp

Download
memory/2276-196-0x0000000000000000-mapping.dmp

Download
memory/2276-199-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/2284-139-0x0000000000000000-mapping.dmp

Download
memory/2308-224-0x0000000000000000-mapping.dmp

Download
memory/2512-200-0x0000000000000000-mapping.dmp

Download
memory/2512-206-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2624-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-118-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2624-116-0x0000000000403670-mapping.dmp

Download
memory/2728-245-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/2728-239-0x0000000000000000-mapping.dmp

Download
memory/2876-257-0x0000000000000000-mapping.dmp

Download
memory/2876-263-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2884-176-0x0000000000000000-mapping.dmp

Download
memory/2884-182-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3304-167-0x0000000000000000-mapping.dmp

Download
memory/3304-173-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3352-233-0x0000000000000000-mapping.dmp

Download
memory/3444-180-0x0000000000000000-mapping.dmp

Download
memory/3444-184-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3500-231-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/3500-228-0x0000000000000000-mapping.dmp

Download
memory/3504-160-0x0000000000000000-mapping.dmp

Download
memory/3504-165-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/3632-213-0x0000000000000000-mapping.dmp

Download
memory/3632-216-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3644-226-0x0000000000000000-mapping.dmp

Download
memory/3644-232-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/3672-149-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3672-146-0x0000000000000000-mapping.dmp

Download
memory/3676-248-0x0000000000000000-mapping.dmp

Download
memory/3676-254-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3716-252-0x0000000000000000-mapping.dmp

Download
memory/3716-255-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3928-274-0x0000000000000000-mapping.dmp

Download
memory/3928-277-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4008-126-0x0000000000403670-mapping.dmp

Download
memory/4016-276-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4016-272-0x0000000000000000-mapping.dmp

Download
memory/4028-193-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/4028-187-0x0000000000000000-mapping.dmp

Download
memory/4092-154-0x0000000000000000-mapping.dmp

Download
memory/4092-158-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4120-278-0x0000000000000000-mapping.dmp

Download
memory/4120-284-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4144-286-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4144-280-0x0000000000000000-mapping.dmp

Download
memory/4168-282-0x0000000000000000-mapping.dmp

Download
memory/4168-285-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4204-287-0x0000000000000000-mapping.dmp

Download
memory/4204-293-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4228-295-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4228-289-0x0000000000000000-mapping.dmp

Download
memory/4252-294-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4252-291-0x0000000000000000-mapping.dmp

Download
memory/4288-296-0x0000000000000000-mapping.dmp

Download
memory/4288-300-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4312-298-0x0000000000000000-mapping.dmp

Download
memory/4312-301-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/4344-302-0x0000000000000000-mapping.dmp

Download
memory/4344-306-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4368-307-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4368-304-0x0000000000000000-mapping.dmp

Download
memory/4400-308-0x0000000000000000-mapping.dmp

Download
memory/4400-314-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4424-310-0x0000000000000000-mapping.dmp

Download
memory/4424-315-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4448-312-0x0000000000000000-mapping.dmp

Download
memory/4448-316-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/4468-313-0x0000000000000000-mapping.dmp

Download
memory/6744-352-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download