warzonerat | d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804

Analysis

max time kernel
150s
max time network
110s
platform
windows10_x64
resource
win10v20210410
submitted
17-05-2021 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
Size

1.8MB
MD5

a01baf08c10a47c48ce4891fce9a1544
SHA1

ff1eb7a50534c1351ad854a99ab59ea1ecd9971f
SHA256

d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804
SHA512

d0067360009a4c6bcb49b19e02024bd5b60ee1c5e0cb1391e9c59cd2a383b9587cea41464276cb803eaf58b14b540d2d04c421c9ddb6c5f4a462c9261359e184

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1248	explorer.exe
2980	explorer.exe
2700	spoolsv.exe
3788	spoolsv.exe
1436	spoolsv.exe
2060	spoolsv.exe
2320	spoolsv.exe
3968	spoolsv.exe
4016	spoolsv.exe
3524	spoolsv.exe
1844	spoolsv.exe
1820	spoolsv.exe
3996	spoolsv.exe
644	spoolsv.exe
732	spoolsv.exe
204	spoolsv.exe
3156	spoolsv.exe
3336	spoolsv.exe
1772	spoolsv.exe
3012	spoolsv.exe
2816	spoolsv.exe
932	spoolsv.exe
2244	spoolsv.exe
3104	spoolsv.exe
3140	spoolsv.exe
3864	spoolsv.exe
604	spoolsv.exe
2144	spoolsv.exe
3260	spoolsv.exe
3692	spoolsv.exe
412	spoolsv.exe
2532	spoolsv.exe
3796	spoolsv.exe
2940	spoolsv.exe
2744	spoolsv.exe
2084	spoolsv.exe
2936	spoolsv.exe
3932	spoolsv.exe
208	spoolsv.exe
2528	spoolsv.exe
2740	spoolsv.exe
3804	spoolsv.exe
1304	spoolsv.exe
3892	spoolsv.exe
3380	spoolsv.exe
1228	spoolsv.exe
2180	spoolsv.exe
3992	spoolsv.exe
2176	spoolsv.exe
3876	spoolsv.exe
4112	spoolsv.exe
4136	spoolsv.exe
4160	spoolsv.exe
4188	spoolsv.exe
4224	spoolsv.exe
4248	spoolsv.exe
4272	spoolsv.exe
4308	spoolsv.exe
4332	spoolsv.exe
4356	spoolsv.exe
4392	spoolsv.exe
4412	spoolsv.exe
4428	spoolsv.exe
4444	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exed49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 3896 set thread context of 188	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 3896 set thread context of 3468	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	diskperf.exe
PID 1248 set thread context of 2980	1248	explorer.exe	explorer.exe
PID 1248 set thread context of 1468	1248	explorer.exe	diskperf.exe
PID 2700 set thread context of 6588	2700	spoolsv.exe	spoolsv.exe
PID 3788 set thread context of 6668	3788	spoolsv.exe	spoolsv.exe
PID 3788 set thread context of 6684	3788	spoolsv.exe	diskperf.exe
PID 1436 set thread context of 6748	1436	spoolsv.exe	spoolsv.exe
PID 1436 set thread context of 6772	1436	spoolsv.exe	diskperf.exe
PID 2060 set thread context of 6804	2060	spoolsv.exe	spoolsv.exe
PID 2060 set thread context of 6828	2060	spoolsv.exe	diskperf.exe
PID 2320 set thread context of 6840	2320	spoolsv.exe	spoolsv.exe
PID 3968 set thread context of 6880	3968	spoolsv.exe	spoolsv.exe
PID 2320 set thread context of 6872	2320	spoolsv.exe	diskperf.exe
PID 4016 set thread context of 6960	4016	spoolsv.exe	spoolsv.exe
PID 3524 set thread context of 6980	3524	spoolsv.exe	spoolsv.exe
PID 4016 set thread context of 6996	4016	spoolsv.exe	diskperf.exe
PID 3524 set thread context of 7028	3524	spoolsv.exe	diskperf.exe
PID 1844 set thread context of 7040	1844	spoolsv.exe	spoolsv.exe
PID 1820 set thread context of 7064	1820	spoolsv.exe	spoolsv.exe
PID 1844 set thread context of 7104	1844	spoolsv.exe	diskperf.exe
PID 1820 set thread context of 7124	1820	spoolsv.exe	diskperf.exe
PID 3996 set thread context of 7140	3996	spoolsv.exe	spoolsv.exe
PID 644 set thread context of 7152	644	spoolsv.exe	spoolsv.exe
PID 3996 set thread context of 7164	3996	spoolsv.exe	diskperf.exe
PID 644 set thread context of 3900	644	spoolsv.exe	diskperf.exe
PID 732 set thread context of 2288	732	spoolsv.exe	spoolsv.exe
PID 204 set thread context of 6760	204	spoolsv.exe	spoolsv.exe
PID 204 set thread context of 6768	204	spoolsv.exe	diskperf.exe
PID 3156 set thread context of 6796	3156	spoolsv.exe	spoolsv.exe
PID 3156 set thread context of 6752	3156	spoolsv.exe	diskperf.exe
PID 3336 set thread context of 6864	3336	spoolsv.exe	spoolsv.exe
PID 3336 set thread context of 6888	3336	spoolsv.exe	diskperf.exe
PID 1772 set thread context of 4000	1772	spoolsv.exe	spoolsv.exe
PID 1772 set thread context of 2968	1772	spoolsv.exe	diskperf.exe
PID 3012 set thread context of 2928	3012	spoolsv.exe	spoolsv.exe
PID 3012 set thread context of 7004	3012	spoolsv.exe	diskperf.exe
PID 2816 set thread context of 7060	2816	spoolsv.exe	spoolsv.exe
PID 932 set thread context of 7012	932	spoolsv.exe	diskperf.exe
PID 932 set thread context of 2132	932	spoolsv.exe	diskperf.exe
PID 2244 set thread context of 7144	2244	spoolsv.exe	spoolsv.exe
PID 2244 set thread context of 6720	2244	spoolsv.exe	diskperf.exe
PID 3104 set thread context of 6672	3104	spoolsv.exe	spoolsv.exe
PID 3104 set thread context of 6680	3104	spoolsv.exe	diskperf.exe
PID 3140 set thread context of 3448	3140	spoolsv.exe	diskperf.exe
PID 3140 set thread context of 4024	3140	spoolsv.exe	diskperf.exe
PID 3864 set thread context of 6956	3864	spoolsv.exe	spoolsv.exe
PID 3864 set thread context of 6952	3864	spoolsv.exe	diskperf.exe
PID 604 set thread context of 7016	604	spoolsv.exe	spoolsv.exe
PID 604 set thread context of 6920	604	spoolsv.exe	diskperf.exe
PID 2144 set thread context of 4440	2144	spoolsv.exe	spoolsv.exe
PID 2144 set thread context of 2016	2144	spoolsv.exe	diskperf.exe
PID 3260 set thread context of 4264	3260	spoolsv.exe	spoolsv.exe
PID 3260 set thread context of 7012	3260	spoolsv.exe	diskperf.exe
PID 3692 set thread context of 6704	3692	spoolsv.exe	svchost.exe
PID 412 set thread context of 6856	412	spoolsv.exe	spoolsv.exe
PID 412 set thread context of 4324	412	spoolsv.exe	diskperf.exe
PID 2532 set thread context of 2664	2532	spoolsv.exe	spoolsv.exe
PID 2532 set thread context of 3448	2532	spoolsv.exe	diskperf.exe
PID 3796 set thread context of 1028	3796	spoolsv.exe	spoolsv.exe
PID 3796 set thread context of 3672	3796	spoolsv.exe	diskperf.exe
PID 2940 set thread context of 1672	2940	spoolsv.exe	spoolsv.exe
PID 2744 set thread context of 636	2744	spoolsv.exe	spoolsv.exe
PID 2744 set thread context of 4640	2744	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exed49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exeexplorer.exe

pid	process
188	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
188	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

2980 explorer.exe

pid	process
2980	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exediskperf.exespoolsv.exespoolsv.exediskperf.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exespoolsv.exe

pid	process
188	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
188	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
2980	explorer.exe
6588	spoolsv.exe
6588	spoolsv.exe
6668	spoolsv.exe
6668	spoolsv.exe
6748	spoolsv.exe
6748	spoolsv.exe
6804	spoolsv.exe
6804	spoolsv.exe
6840	spoolsv.exe
6880	spoolsv.exe
6840	spoolsv.exe
6880	spoolsv.exe
6960	spoolsv.exe
6980	spoolsv.exe
7040	spoolsv.exe
7040	spoolsv.exe
6980	spoolsv.exe
6960	spoolsv.exe
7064	spoolsv.exe
7064	spoolsv.exe
7140	spoolsv.exe
7152	spoolsv.exe
7140	spoolsv.exe
7152	spoolsv.exe
2288	spoolsv.exe
2288	spoolsv.exe
6760	spoolsv.exe
6760	spoolsv.exe
6796	spoolsv.exe
6796	spoolsv.exe
6864	spoolsv.exe
6864	spoolsv.exe
4000	spoolsv.exe
4000	spoolsv.exe
2928	spoolsv.exe
2928	spoolsv.exe
7060	spoolsv.exe
7060	spoolsv.exe
7012	diskperf.exe
7012	diskperf.exe
7144	spoolsv.exe
7144	spoolsv.exe
6672	spoolsv.exe
6672	spoolsv.exe
3448	diskperf.exe
3448	diskperf.exe
6956	spoolsv.exe
6956	spoolsv.exe
7016	spoolsv.exe
7016	spoolsv.exe
4440	spoolsv.exe
4440	spoolsv.exe
4264	spoolsv.exe
4264	spoolsv.exe
6704	svchost.exe
6704	svchost.exe
6856	spoolsv.exe
6856	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exed49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3896 wrote to memory of 188	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 3896 wrote to memory of 188	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 3896 wrote to memory of 188	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 3896 wrote to memory of 188	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 3896 wrote to memory of 188	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 3896 wrote to memory of 188	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 3896 wrote to memory of 188	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 3896 wrote to memory of 188	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
PID 3896 wrote to memory of 3468	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	diskperf.exe
PID 3896 wrote to memory of 3468	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	diskperf.exe
PID 3896 wrote to memory of 3468	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	diskperf.exe
PID 3896 wrote to memory of 3468	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	diskperf.exe
PID 3896 wrote to memory of 3468	3896	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	diskperf.exe
PID 188 wrote to memory of 1248	188	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	explorer.exe
PID 188 wrote to memory of 1248	188	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	explorer.exe
PID 188 wrote to memory of 1248	188	d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe	explorer.exe
PID 1248 wrote to memory of 2980	1248	explorer.exe	explorer.exe
PID 1248 wrote to memory of 2980	1248	explorer.exe	explorer.exe
PID 1248 wrote to memory of 2980	1248	explorer.exe	explorer.exe
PID 1248 wrote to memory of 2980	1248	explorer.exe	explorer.exe
PID 1248 wrote to memory of 2980	1248	explorer.exe	explorer.exe
PID 1248 wrote to memory of 2980	1248	explorer.exe	explorer.exe
PID 1248 wrote to memory of 2980	1248	explorer.exe	explorer.exe
PID 1248 wrote to memory of 2980	1248	explorer.exe	explorer.exe
PID 1248 wrote to memory of 1468	1248	explorer.exe	diskperf.exe
PID 1248 wrote to memory of 1468	1248	explorer.exe	diskperf.exe
PID 1248 wrote to memory of 1468	1248	explorer.exe	diskperf.exe
PID 1248 wrote to memory of 1468	1248	explorer.exe	diskperf.exe
PID 1248 wrote to memory of 1468	1248	explorer.exe	diskperf.exe
PID 2980 wrote to memory of 2700	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 2700	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 2700	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 3788	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 3788	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 3788	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 1436	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 1436	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 1436	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 2060	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 2060	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 2060	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 2320	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 2320	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 2320	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 3968	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 3968	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 3968	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 4016	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 4016	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 4016	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 3524	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 3524	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 3524	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 1844	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 1844	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 1844	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 1820	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 1820	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 1820	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 3996	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 3996	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 3996	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 644	2980	explorer.exe	spoolsv.exe
PID 2980 wrote to memory of 644	2980	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
"C:\Users\Admin\AppData\Local\Temp\d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Users\Admin\AppData\Local\Temp\d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe
  "C:\Users\Admin\AppData\Local\Temp\d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:188
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2700
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:6588
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6652
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3788
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6668
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6732
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1436
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6748
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2060
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6804
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2320
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6840
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3968
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6880
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4016
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6960
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3524
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6980
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1844
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7040
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1820
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7064
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3996
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7164
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:644
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7152
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:732
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2288
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:204
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6760
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6784
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3156
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6796
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6852
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3336
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6864
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2724
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1772
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4000
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6900
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3012
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2928
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6944
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2816
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7060
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7084
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:932
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7012
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3944
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2244
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7144
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2104
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3104
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6672
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6800
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3140
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3448
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2328
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3864
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6956
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:604
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7016
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7072
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2144
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:192
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3260
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4264
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3752
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3692
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6704
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4524
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:412
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6856
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:736
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2532
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2664
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2352
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3796
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1028
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4624
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2940
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1672
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:852
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2744
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:636
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4452
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2084
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4668
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4472
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2936
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1132
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6704
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3932
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4736
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4748
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:208
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2924
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4784
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2528
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3652
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4832
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2740
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4844
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4864
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3804
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4880
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4636
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1304
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3360
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2720
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3892
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4944
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4956
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3380
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1548
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5004
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1228
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6924
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5036
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2180
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5052
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3472
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3992
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1672
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5088
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2176
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4908
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3724
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3876
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3360
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4940
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4112
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4944
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:196
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4136
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4236
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4280
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4160
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6924
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5068
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:68
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4188
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4380
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4844
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4224
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5164
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4672
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4248
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5196
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:496
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4272
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4116
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1428
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4308
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2564
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3940
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4332
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4164
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4304
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4356
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4212
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5340
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4392
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5356
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2808
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4412
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3332
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4428
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3360
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4464
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4480
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5020
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6624
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:1468
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:3468

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:6592

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:4288

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
a01baf08c10a47c48ce4891fce9a1544

SHA1
ff1eb7a50534c1351ad854a99ab59ea1ecd9971f

SHA256
d49cfc47e8bfcee37048d17897a73fe10905f5100af5663c0915e812d25b6804

SHA512
d0067360009a4c6bcb49b19e02024bd5b60ee1c5e0cb1391e9c59cd2a383b9587cea41464276cb803eaf58b14b540d2d04c421c9ddb6c5f4a462c9261359e184

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
0242a20f6d4d77d0adb25015b9eb12cf

SHA1
4f66ae88269c8852411a0d3d46e7f949875e90a8

SHA256
0b19a7ade3cca643b90aba74601b0c8d9fe53cd42d2333141fc862cff4cfe8dc

SHA512
0ebb41e64f9ff46ff29140d4e7f257f225929dc9072cbb41e08dadddd0de7f35c4657d9e3a608040c8d1a488237d1e00973d0074b01d3781ff2f53a460eb3d50

Download Submit
C:\Windows\System\explorer.exe

MD5
0242a20f6d4d77d0adb25015b9eb12cf

SHA1
4f66ae88269c8852411a0d3d46e7f949875e90a8

SHA256
0b19a7ade3cca643b90aba74601b0c8d9fe53cd42d2333141fc862cff4cfe8dc

SHA512
0ebb41e64f9ff46ff29140d4e7f257f225929dc9072cbb41e08dadddd0de7f35c4657d9e3a608040c8d1a488237d1e00973d0074b01d3781ff2f53a460eb3d50

Download Submit
C:\Windows\System\explorer.exe

MD5
0242a20f6d4d77d0adb25015b9eb12cf

SHA1
4f66ae88269c8852411a0d3d46e7f949875e90a8

SHA256
0b19a7ade3cca643b90aba74601b0c8d9fe53cd42d2333141fc862cff4cfe8dc

SHA512
0ebb41e64f9ff46ff29140d4e7f257f225929dc9072cbb41e08dadddd0de7f35c4657d9e3a608040c8d1a488237d1e00973d0074b01d3781ff2f53a460eb3d50

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
C:\Windows\System\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
\??\c:\windows\system\explorer.exe

MD5
0242a20f6d4d77d0adb25015b9eb12cf

SHA1
4f66ae88269c8852411a0d3d46e7f949875e90a8

SHA256
0b19a7ade3cca643b90aba74601b0c8d9fe53cd42d2333141fc862cff4cfe8dc

SHA512
0ebb41e64f9ff46ff29140d4e7f257f225929dc9072cbb41e08dadddd0de7f35c4657d9e3a608040c8d1a488237d1e00973d0074b01d3781ff2f53a460eb3d50

Download Submit
\??\c:\windows\system\spoolsv.exe

MD5
b6220ed3ab52ca2e7f0864ab9ed0ce72

SHA1
55f68c0631d147f3f5b2b20e01ba8d38f2890da8

SHA256
4018ca5c221aadcaafdae833361646101fa0a91e9ea43de0913b39268b88d6bc

SHA512
46f1417e5011aba19fc586abcdd19d56f717f831489b13dd3b072f83d227c4b7f034bbc1bc36e54e67691b3cd59a10abe77b1423fb6a5149113b6c26b8f456c4

Download Submit
memory/188-118-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/188-116-0x0000000000403670-mapping.dmp

Download
memory/188-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/204-192-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/204-182-0x0000000000000000-mapping.dmp

Download
memory/208-256-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/208-251-0x0000000000000000-mapping.dmp

Download
memory/412-229-0x0000000000000000-mapping.dmp

Download
memory/604-225-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/604-217-0x0000000000000000-mapping.dmp

Download
memory/644-177-0x0000000000000000-mapping.dmp

Download
memory/644-183-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/732-179-0x0000000000000000-mapping.dmp

Download
memory/732-184-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/932-207-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/932-200-0x0000000000000000-mapping.dmp

Download
memory/1228-272-0x0000000000000000-mapping.dmp

Download
memory/1228-279-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1248-125-0x0000000000000000-mapping.dmp

Download
memory/1248-129-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/1304-267-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/1304-263-0x0000000000000000-mapping.dmp

Download
memory/1436-159-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1436-151-0x0000000000000000-mapping.dmp

Download
memory/1468-138-0x0000000000411000-mapping.dmp

Download
memory/1772-193-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1772-190-0x0000000000000000-mapping.dmp

Download
memory/1820-172-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/1820-169-0x0000000000000000-mapping.dmp

Download
memory/1844-174-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1844-167-0x0000000000000000-mapping.dmp

Download
memory/2060-153-0x0000000000000000-mapping.dmp

Download
memory/2060-161-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2084-246-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2084-242-0x0000000000000000-mapping.dmp

Download
memory/2144-219-0x0000000000000000-mapping.dmp

Download
memory/2176-288-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2176-282-0x0000000000000000-mapping.dmp

Download
memory/2180-278-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2180-275-0x0000000000000000-mapping.dmp

Download
memory/2244-203-0x0000000000000000-mapping.dmp

Download
memory/2244-206-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2320-162-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2320-155-0x0000000000000000-mapping.dmp

Download
memory/2528-254-0x0000000000000000-mapping.dmp

Download
memory/2528-258-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2532-236-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/2532-231-0x0000000000000000-mapping.dmp

Download
memory/2700-144-0x0000000000000000-mapping.dmp

Download
memory/2740-259-0x0000000000000000-mapping.dmp

Download
memory/2740-265-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/2744-240-0x0000000000000000-mapping.dmp

Download
memory/2744-245-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2816-204-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2816-198-0x0000000000000000-mapping.dmp

Download
memory/2936-247-0x0000000000000000-mapping.dmp

Download
memory/2940-238-0x0000000000000000-mapping.dmp

Download
memory/2980-131-0x0000000000403670-mapping.dmp

Download
memory/3012-196-0x0000000000000000-mapping.dmp

Download
memory/3012-202-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3104-214-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3104-208-0x0000000000000000-mapping.dmp

Download
memory/3140-215-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/3140-210-0x0000000000000000-mapping.dmp

Download
memory/3156-194-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3156-186-0x0000000000000000-mapping.dmp

Download
memory/3260-221-0x0000000000000000-mapping.dmp

Download
memory/3260-228-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3336-195-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3336-188-0x0000000000000000-mapping.dmp

Download
memory/3380-276-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3380-270-0x0000000000000000-mapping.dmp

Download
memory/3468-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3468-119-0x0000000000411000-mapping.dmp

Download
memory/3468-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3524-165-0x0000000000000000-mapping.dmp

Download
memory/3524-173-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3692-223-0x0000000000000000-mapping.dmp

Download
memory/3692-226-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3788-150-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3788-147-0x0000000000000000-mapping.dmp

Download
memory/3796-233-0x0000000000000000-mapping.dmp

Download
memory/3796-237-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/3804-261-0x0000000000000000-mapping.dmp

Download
memory/3804-266-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3864-216-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3864-212-0x0000000000000000-mapping.dmp

Download
memory/3876-284-0x0000000000000000-mapping.dmp

Download
memory/3876-287-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3892-274-0x0000000000570000-0x000000000061E000-memory.dmp

Filesize
696KB

Download
memory/3892-268-0x0000000000000000-mapping.dmp

Download
memory/3896-114-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3932-249-0x0000000000000000-mapping.dmp

Download
memory/3932-255-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3968-160-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/3968-157-0x0000000000000000-mapping.dmp

Download
memory/3992-280-0x0000000000000000-mapping.dmp

Download
memory/3992-286-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3996-175-0x0000000000000000-mapping.dmp

Download
memory/3996-181-0x0000000000600000-0x000000000074A000-memory.dmp

Filesize
1.3MB

Download
memory/4016-171-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4016-163-0x0000000000000000-mapping.dmp

Download
memory/4112-289-0x0000000000000000-mapping.dmp

Download
memory/4112-295-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4136-297-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4136-291-0x0000000000000000-mapping.dmp

Download
memory/4160-298-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4160-293-0x0000000000000000-mapping.dmp

Download
memory/4188-300-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/4188-296-0x0000000000000000-mapping.dmp

Download
memory/4224-301-0x0000000000000000-mapping.dmp

Download
memory/4224-307-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/4248-309-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4248-303-0x0000000000000000-mapping.dmp

Download
memory/4272-305-0x0000000000000000-mapping.dmp

Download
memory/4272-308-0x0000000000660000-0x00000000007AA000-memory.dmp

Filesize
1.3MB

Download
memory/4308-310-0x0000000000000000-mapping.dmp

Download
memory/4308-316-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/4332-312-0x0000000000000000-mapping.dmp

Download
memory/4332-318-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4356-314-0x0000000000000000-mapping.dmp

Download
memory/4356-317-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/4392-319-0x0000000000000000-mapping.dmp

Download
memory/6804-346-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download