warzonerat | d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804

Analysis

max time kernel
143s
max time network
47s
platform
windows7_x64
resource
win7v20210408
submitted
17-05-2021 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
Size

1.8MB
MD5

a01baf08c10a47c48ce4891fce9a1544
SHA1

ff1eb7a50534c1351ad854a99ab59ea1ecd9971f
SHA256

d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804
SHA512

d0067360009a4c6bcb49b19e02024bd5b60ee1c5e0cb1391e9c59cd2a383b9587cea41464276cb803eaf58b14b540d2d04c421c9ddb6c5f4a462c9261359e184

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1464	explorer.exe
1144	explorer.exe
1376	spoolsv.exe
1516	spoolsv.exe
596	spoolsv.exe
764	spoolsv.exe
532	spoolsv.exe
1804	spoolsv.exe
1536	spoolsv.exe
1636	spoolsv.exe
572	spoolsv.exe
1572	spoolsv.exe
1656	spoolsv.exe
1568	spoolsv.exe
1456	spoolsv.exe
1060	spoolsv.exe
1892	spoolsv.exe
1720	spoolsv.exe
1392	spoolsv.exe
1684	spoolsv.exe
824	spoolsv.exe
1068	spoolsv.exe
328	spoolsv.exe
2036	spoolsv.exe
1372	spoolsv.exe
1728	spoolsv.exe
1996	spoolsv.exe
968	spoolsv.exe
1740	spoolsv.exe
900	spoolsv.exe
1248	spoolsv.exe
1592	spoolsv.exe
1652	spoolsv.exe
1736	spoolsv.exe
1708	spoolsv.exe
1776	spoolsv.exe
868	spoolsv.exe
1888	spoolsv.exe
1840	spoolsv.exe
1952	spoolsv.exe
1460	spoolsv.exe
620	spoolsv.exe
1064	spoolsv.exe
1544	spoolsv.exe
112	spoolsv.exe
916	spoolsv.exe
812	spoolsv.exe
1608	spoolsv.exe
1716	spoolsv.exe
940	spoolsv.exe
1796	spoolsv.exe
1792	spoolsv.exe
984	spoolsv.exe
520	spoolsv.exe
1748	spoolsv.exe
1308	spoolsv.exe
1616	spoolsv.exe
1464	spoolsv.exe
1016	spoolsv.exe
896	spoolsv.exe
1788	spoolsv.exe
1256	spoolsv.exe
1548	spoolsv.exe
1368	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exeexplorer.exe

pid	process
1760	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
1760	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe

Adds Run key to start application 2 TTPs 39 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exed49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1988 set thread context of 1760	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 1988 set thread context of 1052	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	diskperf.exe
PID 1464 set thread context of 1144	1464	explorer.exe	explorer.exe
PID 1464 set thread context of 1680	1464	explorer.exe	diskperf.exe
PID 1376 set thread context of 3196	1376	spoolsv.exe	spoolsv.exe
PID 1376 set thread context of 3204	1376	spoolsv.exe	diskperf.exe
PID 1516 set thread context of 3244	1516	spoolsv.exe	spoolsv.exe
PID 1516 set thread context of 3252	1516	spoolsv.exe	diskperf.exe
PID 596 set thread context of 3276	596	spoolsv.exe	spoolsv.exe
PID 596 set thread context of 3284	596	spoolsv.exe	diskperf.exe
PID 764 set thread context of 3312	764	spoolsv.exe	spoolsv.exe
PID 764 set thread context of 3320	764	spoolsv.exe	diskperf.exe
PID 532 set thread context of 3344	532	spoolsv.exe	spoolsv.exe
PID 532 set thread context of 3352	532	spoolsv.exe	diskperf.exe
PID 1804 set thread context of 3380	1804	spoolsv.exe	spoolsv.exe
PID 1804 set thread context of 3388	1804	spoolsv.exe	diskperf.exe
PID 1536 set thread context of 3420	1536	spoolsv.exe	spoolsv.exe
PID 1536 set thread context of 3428	1536	spoolsv.exe	diskperf.exe
PID 1636 set thread context of 3460	1636	spoolsv.exe	spoolsv.exe
PID 1636 set thread context of 3468	1636	spoolsv.exe	diskperf.exe
PID 572 set thread context of 3496	572	spoolsv.exe	spoolsv.exe
PID 572 set thread context of 3504	572	spoolsv.exe	diskperf.exe
PID 1572 set thread context of 3532	1572	spoolsv.exe	spoolsv.exe
PID 1572 set thread context of 3540	1572	spoolsv.exe	diskperf.exe
PID 1656 set thread context of 3560	1656	spoolsv.exe	spoolsv.exe
PID 1656 set thread context of 3568	1656	spoolsv.exe	diskperf.exe
PID 1568 set thread context of 3596	1568	spoolsv.exe	spoolsv.exe
PID 1568 set thread context of 3604	1568	spoolsv.exe	diskperf.exe
PID 1456 set thread context of 3624	1456	spoolsv.exe	spoolsv.exe
PID 1456 set thread context of 3632	1456	spoolsv.exe	diskperf.exe
PID 1060 set thread context of 3660	1060	spoolsv.exe	spoolsv.exe
PID 1060 set thread context of 3668	1060	spoolsv.exe	diskperf.exe
PID 1892 set thread context of 3688	1892	spoolsv.exe	spoolsv.exe
PID 1892 set thread context of 3696	1892	spoolsv.exe	diskperf.exe
PID 1720 set thread context of 3716	1720	spoolsv.exe	spoolsv.exe
PID 1720 set thread context of 3724	1720	spoolsv.exe	diskperf.exe
PID 1392 set thread context of 3744	1392	spoolsv.exe	spoolsv.exe
PID 1392 set thread context of 3752	1392	spoolsv.exe	diskperf.exe
PID 1684 set thread context of 3780	1684	spoolsv.exe	spoolsv.exe
PID 1684 set thread context of 3788	1684	spoolsv.exe	diskperf.exe
PID 824 set thread context of 3812	824	spoolsv.exe	spoolsv.exe
PID 824 set thread context of 3832	824	spoolsv.exe	diskperf.exe
PID 1068 set thread context of 3840	1068	spoolsv.exe	spoolsv.exe
PID 1068 set thread context of 3848	1068	spoolsv.exe	diskperf.exe
PID 328 set thread context of 3856	328	spoolsv.exe	spoolsv.exe
PID 328 set thread context of 3864	328	spoolsv.exe	diskperf.exe
PID 2036 set thread context of 3884	2036	spoolsv.exe	spoolsv.exe
PID 2036 set thread context of 3892	2036	spoolsv.exe	diskperf.exe
PID 1728 set thread context of 3912	1728	spoolsv.exe	spoolsv.exe
PID 1728 set thread context of 3920	1728	spoolsv.exe	diskperf.exe
PID 1372 set thread context of 3928	1372	spoolsv.exe	spoolsv.exe
PID 1372 set thread context of 3936	1372	spoolsv.exe	diskperf.exe
PID 1996 set thread context of 3948	1996	spoolsv.exe	spoolsv.exe
PID 1996 set thread context of 3956	1996	spoolsv.exe	diskperf.exe
PID 968 set thread context of 3980	968	spoolsv.exe	spoolsv.exe
PID 1740 set thread context of 3988	1740	spoolsv.exe	spoolsv.exe
PID 1740 set thread context of 4004	1740	spoolsv.exe	diskperf.exe
PID 968 set thread context of 3996	968	spoolsv.exe	diskperf.exe
PID 900 set thread context of 4024	900	spoolsv.exe	spoolsv.exe
PID 900 set thread context of 4032	900	spoolsv.exe	diskperf.exe
PID 1592 set thread context of 4040	1592	spoolsv.exe	spoolsv.exe
PID 1592 set thread context of 4048	1592	spoolsv.exe	diskperf.exe
PID 1248 set thread context of 4056	1248	spoolsv.exe	spoolsv.exe
PID 1652 set thread context of 4064	1652	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 4 IoCs

Processes:

spoolsv.exed49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exeexplorer.exe

pid	process
1760	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1144 explorer.exe

pid	process
1144	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1760	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
1760	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
1144	explorer.exe
3196	spoolsv.exe
3196	spoolsv.exe
3244	spoolsv.exe
3244	spoolsv.exe
3276	spoolsv.exe
3276	spoolsv.exe
3312	spoolsv.exe
3312	spoolsv.exe
3344	spoolsv.exe
3344	spoolsv.exe
3380	spoolsv.exe
3380	spoolsv.exe
3420	spoolsv.exe
3420	spoolsv.exe
3460	spoolsv.exe
3460	spoolsv.exe
3496	spoolsv.exe
3496	spoolsv.exe
3532	spoolsv.exe
3532	spoolsv.exe
3560	spoolsv.exe
3560	spoolsv.exe
3596	spoolsv.exe
3596	spoolsv.exe
3624	spoolsv.exe
3624	spoolsv.exe
3660	spoolsv.exe
3660	spoolsv.exe
3688	spoolsv.exe
3688	spoolsv.exe
3716	spoolsv.exe
3716	spoolsv.exe
3744	spoolsv.exe
3744	spoolsv.exe
3780	spoolsv.exe
3780	spoolsv.exe
3812	spoolsv.exe
3812	spoolsv.exe
3840	spoolsv.exe
3840	spoolsv.exe
3856	spoolsv.exe
3856	spoolsv.exe
3884	spoolsv.exe
3884	spoolsv.exe
3912	spoolsv.exe
3928	spoolsv.exe
3912	spoolsv.exe
3928	spoolsv.exe
3948	spoolsv.exe
3948	spoolsv.exe
3980	spoolsv.exe
3988	spoolsv.exe
3988	spoolsv.exe
3980	spoolsv.exe
4024	spoolsv.exe
4040	spoolsv.exe
4056	spoolsv.exe
4064	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exed49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1988 wrote to memory of 1760	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 1988 wrote to memory of 1760	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 1988 wrote to memory of 1760	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 1988 wrote to memory of 1760	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 1988 wrote to memory of 1760	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 1988 wrote to memory of 1760	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 1988 wrote to memory of 1760	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 1988 wrote to memory of 1760	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 1988 wrote to memory of 1760	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 1988 wrote to memory of 1052	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	diskperf.exe
PID 1988 wrote to memory of 1052	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	diskperf.exe
PID 1988 wrote to memory of 1052	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	diskperf.exe
PID 1988 wrote to memory of 1052	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	diskperf.exe
PID 1988 wrote to memory of 1052	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	diskperf.exe
PID 1988 wrote to memory of 1052	1988	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	diskperf.exe
PID 1760 wrote to memory of 1464	1760	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	explorer.exe
PID 1760 wrote to memory of 1464	1760	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	explorer.exe
PID 1760 wrote to memory of 1464	1760	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	explorer.exe
PID 1760 wrote to memory of 1464	1760	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	explorer.exe
PID 1464 wrote to memory of 1144	1464	explorer.exe	explorer.exe
PID 1464 wrote to memory of 1144	1464	explorer.exe	explorer.exe
PID 1464 wrote to memory of 1144	1464	explorer.exe	explorer.exe
PID 1464 wrote to memory of 1144	1464	explorer.exe	explorer.exe
PID 1464 wrote to memory of 1144	1464	explorer.exe	explorer.exe
PID 1464 wrote to memory of 1144	1464	explorer.exe	explorer.exe
PID 1464 wrote to memory of 1144	1464	explorer.exe	explorer.exe
PID 1464 wrote to memory of 1144	1464	explorer.exe	explorer.exe
PID 1464 wrote to memory of 1144	1464	explorer.exe	explorer.exe
PID 1464 wrote to memory of 1680	1464	explorer.exe	diskperf.exe
PID 1464 wrote to memory of 1680	1464	explorer.exe	diskperf.exe
PID 1464 wrote to memory of 1680	1464	explorer.exe	diskperf.exe
PID 1464 wrote to memory of 1680	1464	explorer.exe	diskperf.exe
PID 1464 wrote to memory of 1680	1464	explorer.exe	diskperf.exe
PID 1464 wrote to memory of 1680	1464	explorer.exe	diskperf.exe
PID 1144 wrote to memory of 1376	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1376	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1376	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1376	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1516	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1516	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1516	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1516	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 596	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 596	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 596	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 596	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 764	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 764	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 764	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 764	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 532	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 532	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 532	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 532	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1804	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1804	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1804	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1804	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1536	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1536	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1536	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1536	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1636	1144	explorer.exe	spoolsv.exe
PID 1144 wrote to memory of 1636	1144	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
"C:\Users\Admin\AppData\Local\Temp\d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
  "C:\Users\Admin\AppData\Local\Temp\d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1760
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1376
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3196
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3268
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1516
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3244
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:596
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3276
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3296
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:764
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3312
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3332
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:532
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3344
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3364
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1804
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3380
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3400
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1536
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3420
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3452
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1636
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3460
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3480
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:572
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3496
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3524
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1572
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3532
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3552
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1656
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3560
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3580
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1568
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3596
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3616
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1456
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3624
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3644
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1060
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3660
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3680
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1892
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3688
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3708
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1720
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3716
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3736
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1392
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3744
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3764
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1684
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3780
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3800
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:824
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3812
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3824
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1068
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3840
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:328
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3864
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3856
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2036
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3884
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3904
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1372
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3928
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1728
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3912
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1996
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3948
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3968
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:968
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3980
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4016
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1740
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3988
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:900
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4024
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1248
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4072
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1592
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4040
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1652
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4064
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1736
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4088
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3228
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1708
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3220
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3328
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1776
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:380
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:868
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1468
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3384
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1888
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3348
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1840
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1384
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1952
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3444
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1460
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3492
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:620
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3520
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1600
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1064
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3548
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3612
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1544
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1624
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:112
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1968
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:916
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3652
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:812
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1564
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3720
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1608
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1836
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1688
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1716
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3760
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:940
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3780
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:612
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1796
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3820
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1792
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3856
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:984
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3932
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3888
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:520
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3976
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3952
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1748
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1520
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1308
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1556
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1616
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1732
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1464
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4040
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1620
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1016
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3200
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:896
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3376
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1788
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1668
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3444
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1256
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3492
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:308
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1548
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3652
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1368
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1624
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3704
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:944
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:904
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3816
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:776
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3760
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1824
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3840
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:556
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:964
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1488
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1472
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3952
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4064
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1072
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1520
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1200
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3200
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1896
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1096
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3420
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:548
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1512
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:756
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1904
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:428
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1080
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1304
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1008
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1624
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:844
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:864
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1988
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1692
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2052
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3260
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:1680
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
a01baf08c10a47c48ce4891fce9a1544

SHA1
ff1eb7a50534c1351ad854a99ab59ea1ecd9971f

SHA256
d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804

SHA512
d0067360009a4c6bcb49b19e02024bd5b60ee1c5e0cb1391e9c59cd2a383b9587cea41464276cb803eaf58b14b540d2d04c421c9ddb6c5f4a462c9261359e184

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
ac8d5f83d50328d70420d508bccfcbde

SHA1
98d877776bda8b3b768b14e5e5aee4f0d06ef4a4

SHA256
e2d54aa5f186c0522da91242cd2d5eed394f831b2e1b47698cb607a40d25845a

SHA512
39774a4713208411ef77544102465ae6d54634efe5da93a67dacfaf4add73eee3a330124d0fc5f7951b27ab0e37dfa762c2d113dcd871ab90691e7066de2364c

Download Submit
C:\Windows\system\explorer.exe

MD5
ac8d5f83d50328d70420d508bccfcbde

SHA1
98d877776bda8b3b768b14e5e5aee4f0d06ef4a4

SHA256
e2d54aa5f186c0522da91242cd2d5eed394f831b2e1b47698cb607a40d25845a

SHA512
39774a4713208411ef77544102465ae6d54634efe5da93a67dacfaf4add73eee3a330124d0fc5f7951b27ab0e37dfa762c2d113dcd871ab90691e7066de2364c

Download Submit
C:\Windows\system\explorer.exe

MD5
ac8d5f83d50328d70420d508bccfcbde

SHA1
98d877776bda8b3b768b14e5e5aee4f0d06ef4a4

SHA256
e2d54aa5f186c0522da91242cd2d5eed394f831b2e1b47698cb607a40d25845a

SHA512
39774a4713208411ef77544102465ae6d54634efe5da93a67dacfaf4add73eee3a330124d0fc5f7951b27ab0e37dfa762c2d113dcd871ab90691e7066de2364c

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
C:\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\??\c:\windows\system\explorer.exe

MD5
ac8d5f83d50328d70420d508bccfcbde

SHA1
98d877776bda8b3b768b14e5e5aee4f0d06ef4a4

SHA256
e2d54aa5f186c0522da91242cd2d5eed394f831b2e1b47698cb607a40d25845a

SHA512
39774a4713208411ef77544102465ae6d54634efe5da93a67dacfaf4add73eee3a330124d0fc5f7951b27ab0e37dfa762c2d113dcd871ab90691e7066de2364c

Download Submit
\Windows\system\explorer.exe

MD5
ac8d5f83d50328d70420d508bccfcbde

SHA1
98d877776bda8b3b768b14e5e5aee4f0d06ef4a4

SHA256
e2d54aa5f186c0522da91242cd2d5eed394f831b2e1b47698cb607a40d25845a

SHA512
39774a4713208411ef77544102465ae6d54634efe5da93a67dacfaf4add73eee3a330124d0fc5f7951b27ab0e37dfa762c2d113dcd871ab90691e7066de2364c

Download Submit
\Windows\system\explorer.exe

MD5
ac8d5f83d50328d70420d508bccfcbde

SHA1
98d877776bda8b3b768b14e5e5aee4f0d06ef4a4

SHA256
e2d54aa5f186c0522da91242cd2d5eed394f831b2e1b47698cb607a40d25845a

SHA512
39774a4713208411ef77544102465ae6d54634efe5da93a67dacfaf4add73eee3a330124d0fc5f7951b27ab0e37dfa762c2d113dcd871ab90691e7066de2364c

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
\Windows\system\spoolsv.exe

MD5
f730a9ba0863f31183a043e0cf781b79

SHA1
4c987b0451ea91c39599adf3ea6f40fbb330156c

SHA256
3343ce5d93179776c1790bad93bc92b9882553c1b25e05229b51180121c1f728

SHA512
2a54165f4ee1d2d83c967e4bf4e1764e6dac1a5d84498c21736d69142bcec585c6901051666e8cb6b1f2ab82067117e60ff93b7340b7544a1709d9973f9b2442

Download Submit
memory/112-278-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/112-270-0x0000000000000000-mapping.dmp

Download
memory/328-208-0x0000000000000000-mapping.dmp

Download
memory/520-306-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/520-299-0x0000000000000000-mapping.dmp

Download
memory/532-131-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/532-117-0x0000000000000000-mapping.dmp

Download
memory/572-156-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/572-142-0x0000000000000000-mapping.dmp

Download
memory/596-106-0x0000000000000000-mapping.dmp

Download
memory/596-118-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/620-275-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/620-264-0x0000000000000000-mapping.dmp

Download
memory/764-119-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/764-111-0x0000000000000000-mapping.dmp

Download
memory/812-281-0x0000000000000000-mapping.dmp

Download
memory/812-292-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/824-203-0x0000000000000000-mapping.dmp

Download
memory/868-247-0x0000000000000000-mapping.dmp

Download
memory/868-256-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/896-312-0x0000000000000000-mapping.dmp

Download
memory/900-226-0x0000000000000000-mapping.dmp

Download
memory/900-235-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/916-279-0x0000000000000000-mapping.dmp

Download
memory/916-291-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/940-287-0x0000000000000000-mapping.dmp

Download
memory/968-233-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/968-222-0x0000000000000000-mapping.dmp

Download
memory/984-305-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/984-298-0x0000000000000000-mapping.dmp

Download
memory/1016-311-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1016-304-0x0000000000000000-mapping.dmp

Download
memory/1052-65-0x0000000000411000-mapping.dmp

Download
memory/1052-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1052-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1060-173-0x0000000000000000-mapping.dmp

Download
memory/1064-266-0x0000000000000000-mapping.dmp

Download
memory/1068-206-0x0000000000000000-mapping.dmp

Download
memory/1068-213-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1144-80-0x0000000000403670-mapping.dmp

Download
memory/1248-236-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1248-228-0x0000000000000000-mapping.dmp

Download
memory/1308-301-0x0000000000000000-mapping.dmp

Download
memory/1308-308-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1372-230-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1372-216-0x0000000000000000-mapping.dmp

Download
memory/1376-102-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1376-95-0x0000000000000000-mapping.dmp

Download
memory/1392-200-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1392-190-0x0000000000000000-mapping.dmp

Download
memory/1456-170-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1456-166-0x0000000000000000-mapping.dmp

Download
memory/1460-262-0x0000000000000000-mapping.dmp

Download
memory/1464-73-0x0000000000000000-mapping.dmp

Download
memory/1464-303-0x0000000000000000-mapping.dmp

Download
memory/1464-77-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1516-114-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1516-100-0x0000000000000000-mapping.dmp

Download
memory/1536-134-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1536-129-0x0000000000000000-mapping.dmp

Download
memory/1544-268-0x0000000000000000-mapping.dmp

Download
memory/1544-277-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1568-161-0x0000000000000000-mapping.dmp

Download
memory/1572-157-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1572-148-0x0000000000000000-mapping.dmp

Download
memory/1592-237-0x0000000000000000-mapping.dmp

Download
memory/1592-251-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1608-283-0x0000000000000000-mapping.dmp

Download
memory/1616-302-0x0000000000000000-mapping.dmp

Download
memory/1636-137-0x0000000000000000-mapping.dmp

Download
memory/1636-145-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1652-239-0x0000000000000000-mapping.dmp

Download
memory/1652-252-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1656-153-0x0000000000000000-mapping.dmp

Download
memory/1656-158-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1680-85-0x0000000000411000-mapping.dmp

Download
memory/1684-195-0x0000000000000000-mapping.dmp

Download
memory/1708-243-0x0000000000000000-mapping.dmp

Download
memory/1708-254-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1716-294-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1716-285-0x0000000000000000-mapping.dmp

Download
memory/1720-183-0x0000000000000000-mapping.dmp

Download
memory/1728-231-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1728-218-0x0000000000000000-mapping.dmp

Download
memory/1736-241-0x0000000000000000-mapping.dmp

Download
memory/1740-234-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1740-224-0x0000000000000000-mapping.dmp

Download
memory/1748-300-0x0000000000000000-mapping.dmp

Download
memory/1748-307-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1760-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1760-62-0x0000000000403670-mapping.dmp

Download
memory/1760-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1776-245-0x0000000000000000-mapping.dmp

Download
memory/1788-313-0x0000000000000000-mapping.dmp

Download
memory/1792-290-0x0000000000000000-mapping.dmp

Download
memory/1796-289-0x0000000000000000-mapping.dmp

Download
memory/1796-296-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1804-124-0x0000000000000000-mapping.dmp

Download
memory/1804-133-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1840-258-0x0000000000000000-mapping.dmp

Download
memory/1888-249-0x0000000000000000-mapping.dmp

Download
memory/1888-257-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1892-185-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1892-178-0x0000000000000000-mapping.dmp

Download
memory/1952-273-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1952-260-0x0000000000000000-mapping.dmp

Download
memory/1988-59-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1988-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1996-220-0x0000000000000000-mapping.dmp

Download
memory/1996-232-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2036-210-0x0000000000000000-mapping.dmp

Download
memory/2036-214-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download