warzonerat | e1862530047d9530658f32c4f54f09f2fbb75ec1f3b4788208460d24f324cf30

Analysis

max time kernel
144s
max time network
33s
platform
windows7_x64
resource
win7v20210410
submitted
18-06-2021 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sinners_and_saints.exe
Size

1.8MB
MD5

a7eb6a0b8d8dbce375adc25117fc6637
SHA1

61e19ddc375a09c01c48c3eb5a40318d3f841fb1
SHA256

e1862530047d9530658f32c4f54f09f2fbb75ec1f3b4788208460d24f324cf30
SHA512

427a695f440b5d261636302529ce30e2371c5035ad12cc31e0e37ca850a5a44218e637f665e73e77fed9dd50f884801b2deb81c3b8bddc191649b8f4a2a4ba59

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1656	explorer.exe
1468	explorer.exe
1896	spoolsv.exe
744	spoolsv.exe
1452	spoolsv.exe
1816	spoolsv.exe
1940	spoolsv.exe
1388	spoolsv.exe
1316	spoolsv.exe
1616	spoolsv.exe
952	spoolsv.exe
1332	spoolsv.exe
1640	spoolsv.exe
1080	spoolsv.exe
1092	spoolsv.exe
772	spoolsv.exe
1420	spoolsv.exe
1484	spoolsv.exe
1220	spoolsv.exe
820	spoolsv.exe
1064	spoolsv.exe
676	spoolsv.exe
1048	spoolsv.exe
384	spoolsv.exe
276	spoolsv.exe
1236	spoolsv.exe
1932	spoolsv.exe
536	spoolsv.exe
1148	spoolsv.exe
1720	spoolsv.exe
972	spoolsv.exe
1536	spoolsv.exe
1320	spoolsv.exe
1396	spoolsv.exe
1252	spoolsv.exe
2012	spoolsv.exe
1084	spoolsv.exe
788	spoolsv.exe
1804	spoolsv.exe
1108	spoolsv.exe
816	spoolsv.exe
904	spoolsv.exe
268	spoolsv.exe
1488	spoolsv.exe
760	spoolsv.exe
1156	spoolsv.exe
1948	spoolsv.exe
1840	spoolsv.exe
1620	spoolsv.exe
1248	spoolsv.exe
1344	spoolsv.exe
1076	spoolsv.exe
1072	spoolsv.exe
568	spoolsv.exe
524	spoolsv.exe
1568	spoolsv.exe
1204	spoolsv.exe
1516	spoolsv.exe
296	spoolsv.exe
916	spoolsv.exe
1936	spoolsv.exe
844	spoolsv.exe
1592	spoolsv.exe
824	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

sinners_and_saints.exeexplorer.exe

pid	process
788	sinners_and_saints.exe
788	sinners_and_saints.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe

Adds Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesinners_and_saints.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	sinners_and_saints.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

sinners_and_saints.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2012 set thread context of 788	2012	sinners_and_saints.exe	sinners_and_saints.exe
PID 2012 set thread context of 324	2012	sinners_and_saints.exe	diskperf.exe
PID 1656 set thread context of 1468	1656	explorer.exe	explorer.exe
PID 1656 set thread context of 560	1656	explorer.exe	diskperf.exe
PID 1896 set thread context of 3228	1896	spoolsv.exe	spoolsv.exe
PID 1896 set thread context of 3236	1896	spoolsv.exe	diskperf.exe
PID 744 set thread context of 3276	744	spoolsv.exe	spoolsv.exe
PID 744 set thread context of 3284	744	spoolsv.exe	diskperf.exe
PID 1452 set thread context of 3312	1452	spoolsv.exe	spoolsv.exe
PID 1452 set thread context of 3320	1452	spoolsv.exe	diskperf.exe
PID 1816 set thread context of 3348	1816	spoolsv.exe	spoolsv.exe
PID 1816 set thread context of 3356	1816	spoolsv.exe	diskperf.exe
PID 1940 set thread context of 3384	1940	spoolsv.exe	spoolsv.exe
PID 1940 set thread context of 3392	1940	spoolsv.exe	diskperf.exe
PID 1388 set thread context of 3416	1388	spoolsv.exe	spoolsv.exe
PID 1388 set thread context of 3424	1388	spoolsv.exe	diskperf.exe
PID 1316 set thread context of 3452	1316	spoolsv.exe	spoolsv.exe
PID 1316 set thread context of 3460	1316	spoolsv.exe	diskperf.exe
PID 1616 set thread context of 3480	1616	spoolsv.exe	spoolsv.exe
PID 1616 set thread context of 3488	1616	spoolsv.exe	diskperf.exe
PID 952 set thread context of 3520	952	spoolsv.exe	spoolsv.exe
PID 952 set thread context of 3540	952	spoolsv.exe	diskperf.exe
PID 1332 set thread context of 3548	1332	spoolsv.exe	spoolsv.exe
PID 1332 set thread context of 3556	1332	spoolsv.exe	diskperf.exe
PID 1640 set thread context of 3584	1640	spoolsv.exe	spoolsv.exe
PID 1640 set thread context of 3604	1640	spoolsv.exe	diskperf.exe
PID 1080 set thread context of 3620	1080	spoolsv.exe	spoolsv.exe
PID 1080 set thread context of 3628	1080	spoolsv.exe	diskperf.exe
PID 1092 set thread context of 3656	1092	spoolsv.exe	spoolsv.exe
PID 1092 set thread context of 3664	1092	spoolsv.exe	diskperf.exe
PID 772 set thread context of 3688	772	spoolsv.exe	spoolsv.exe
PID 772 set thread context of 3696	772	spoolsv.exe	diskperf.exe
PID 1420 set thread context of 3724	1420	spoolsv.exe	spoolsv.exe
PID 1420 set thread context of 3732	1420	spoolsv.exe	diskperf.exe
PID 1484 set thread context of 3760	1484	spoolsv.exe	spoolsv.exe
PID 1484 set thread context of 3768	1484	spoolsv.exe	diskperf.exe
PID 1220 set thread context of 3796	1220	spoolsv.exe	spoolsv.exe
PID 1220 set thread context of 3804	1220	spoolsv.exe	diskperf.exe
PID 820 set thread context of 3824	820	spoolsv.exe	spoolsv.exe
PID 820 set thread context of 3844	820	spoolsv.exe	diskperf.exe
PID 1064 set thread context of 3856	1064	spoolsv.exe	spoolsv.exe
PID 1064 set thread context of 3864	1064	spoolsv.exe	diskperf.exe
PID 676 set thread context of 3892	676	spoolsv.exe	spoolsv.exe
PID 676 set thread context of 3900	676	spoolsv.exe	diskperf.exe
PID 1048 set thread context of 3928	1048	spoolsv.exe	spoolsv.exe
PID 384 set thread context of 3936	384	spoolsv.exe	spoolsv.exe
PID 1048 set thread context of 3956	1048	spoolsv.exe	diskperf.exe
PID 384 set thread context of 3964	384	spoolsv.exe	diskperf.exe
PID 276 set thread context of 3972	276	spoolsv.exe	spoolsv.exe
PID 276 set thread context of 3992	276	spoolsv.exe	diskperf.exe
PID 1236 set thread context of 4004	1236	spoolsv.exe	spoolsv.exe
PID 1236 set thread context of 4012	1236	spoolsv.exe	diskperf.exe
PID 1932 set thread context of 4032	1932	spoolsv.exe	spoolsv.exe
PID 1932 set thread context of 4040	1932	spoolsv.exe	diskperf.exe
PID 536 set thread context of 4052	536	spoolsv.exe	spoolsv.exe
PID 536 set thread context of 4072	536	spoolsv.exe	diskperf.exe
PID 1148 set thread context of 4088	1148	spoolsv.exe	spoolsv.exe
PID 1148 set thread context of 1472	1148	spoolsv.exe	diskperf.exe
PID 1720 set thread context of 1696	1720	spoolsv.exe	spoolsv.exe
PID 972 set thread context of 3232	972	spoolsv.exe	spoolsv.exe
PID 1720 set thread context of 3248	1720	spoolsv.exe	diskperf.exe
PID 972 set thread context of 3296	972	spoolsv.exe	diskperf.exe
PID 1536 set thread context of 3292	1536	spoolsv.exe	spoolsv.exe
PID 1536 set thread context of 1664	1536	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

sinners_and_saints.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	sinners_and_saints.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sinners_and_saints.exeexplorer.exe

pid	process
788	sinners_and_saints.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1468 explorer.exe

pid	process
1468	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
788	sinners_and_saints.exe
788	sinners_and_saints.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
1468	explorer.exe
3228	spoolsv.exe
3228	spoolsv.exe
3276	spoolsv.exe
3276	spoolsv.exe
3312	spoolsv.exe
3312	spoolsv.exe
3348	spoolsv.exe
3348	spoolsv.exe
3384	spoolsv.exe
3384	spoolsv.exe
3416	spoolsv.exe
3416	spoolsv.exe
3452	spoolsv.exe
3452	spoolsv.exe
3480	spoolsv.exe
3480	spoolsv.exe
3520	spoolsv.exe
3520	spoolsv.exe
3548	spoolsv.exe
3548	spoolsv.exe
3584	spoolsv.exe
3584	spoolsv.exe
3620	spoolsv.exe
3620	spoolsv.exe
3656	spoolsv.exe
3656	spoolsv.exe
3688	spoolsv.exe
3688	spoolsv.exe
3724	spoolsv.exe
3724	spoolsv.exe
3760	spoolsv.exe
3760	spoolsv.exe
3796	spoolsv.exe
3796	spoolsv.exe
3824	spoolsv.exe
3824	spoolsv.exe
3856	spoolsv.exe
3856	spoolsv.exe
3892	spoolsv.exe
3892	spoolsv.exe
3928	spoolsv.exe
3928	spoolsv.exe
3936	spoolsv.exe
3936	spoolsv.exe
3972	spoolsv.exe
3972	spoolsv.exe
4004	spoolsv.exe
4004	spoolsv.exe
4032	spoolsv.exe
4032	spoolsv.exe
4052	spoolsv.exe
4052	spoolsv.exe
4088	spoolsv.exe
4088	spoolsv.exe
1696	spoolsv.exe
1696	spoolsv.exe
3232	spoolsv.exe
3232	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sinners_and_saints.exesinners_and_saints.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 2012 wrote to memory of 788	2012	sinners_and_saints.exe	sinners_and_saints.exe
PID 2012 wrote to memory of 788	2012	sinners_and_saints.exe	sinners_and_saints.exe
PID 2012 wrote to memory of 788	2012	sinners_and_saints.exe	sinners_and_saints.exe
PID 2012 wrote to memory of 788	2012	sinners_and_saints.exe	sinners_and_saints.exe
PID 2012 wrote to memory of 788	2012	sinners_and_saints.exe	sinners_and_saints.exe
PID 2012 wrote to memory of 788	2012	sinners_and_saints.exe	sinners_and_saints.exe
PID 2012 wrote to memory of 788	2012	sinners_and_saints.exe	sinners_and_saints.exe
PID 2012 wrote to memory of 788	2012	sinners_and_saints.exe	sinners_and_saints.exe
PID 2012 wrote to memory of 788	2012	sinners_and_saints.exe	sinners_and_saints.exe
PID 2012 wrote to memory of 324	2012	sinners_and_saints.exe	diskperf.exe
PID 2012 wrote to memory of 324	2012	sinners_and_saints.exe	diskperf.exe
PID 2012 wrote to memory of 324	2012	sinners_and_saints.exe	diskperf.exe
PID 2012 wrote to memory of 324	2012	sinners_and_saints.exe	diskperf.exe
PID 2012 wrote to memory of 324	2012	sinners_and_saints.exe	diskperf.exe
PID 2012 wrote to memory of 324	2012	sinners_and_saints.exe	diskperf.exe
PID 788 wrote to memory of 1656	788	sinners_and_saints.exe	explorer.exe
PID 788 wrote to memory of 1656	788	sinners_and_saints.exe	explorer.exe
PID 788 wrote to memory of 1656	788	sinners_and_saints.exe	explorer.exe
PID 788 wrote to memory of 1656	788	sinners_and_saints.exe	explorer.exe
PID 1656 wrote to memory of 1468	1656	explorer.exe	explorer.exe
PID 1656 wrote to memory of 1468	1656	explorer.exe	explorer.exe
PID 1656 wrote to memory of 1468	1656	explorer.exe	explorer.exe
PID 1656 wrote to memory of 1468	1656	explorer.exe	explorer.exe
PID 1656 wrote to memory of 1468	1656	explorer.exe	explorer.exe
PID 1656 wrote to memory of 1468	1656	explorer.exe	explorer.exe
PID 1656 wrote to memory of 1468	1656	explorer.exe	explorer.exe
PID 1656 wrote to memory of 1468	1656	explorer.exe	explorer.exe
PID 1656 wrote to memory of 1468	1656	explorer.exe	explorer.exe
PID 1656 wrote to memory of 560	1656	explorer.exe	diskperf.exe
PID 1656 wrote to memory of 560	1656	explorer.exe	diskperf.exe
PID 1656 wrote to memory of 560	1656	explorer.exe	diskperf.exe
PID 1656 wrote to memory of 560	1656	explorer.exe	diskperf.exe
PID 1656 wrote to memory of 560	1656	explorer.exe	diskperf.exe
PID 1656 wrote to memory of 560	1656	explorer.exe	diskperf.exe
PID 1468 wrote to memory of 1896	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1896	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1896	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1896	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 744	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 744	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 744	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 744	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1452	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1452	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1452	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1452	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1816	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1816	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1816	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1816	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1940	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1940	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1940	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1940	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1388	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1388	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1388	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1388	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1316	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1316	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1316	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1316	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1616	1468	explorer.exe	spoolsv.exe
PID 1468 wrote to memory of 1616	1468	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\sinners_and_saints.exe
"C:\Users\Admin\AppData\Local\Temp\sinners_and_saints.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\sinners_and_saints.exe
  "C:\Users\Admin\AppData\Local\Temp\sinners_and_saints.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:788
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1896
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3228
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3268
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:744
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3276
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3300
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1452
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3312
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3332
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1816
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3348
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3368
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1940
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3384
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3404
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1388
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3416
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3440
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1316
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3452
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3472
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1616
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3480
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3500
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:952
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3520
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3532
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1332
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3548
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3576
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1640
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3584
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3596
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1080
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3620
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3640
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1092
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3656
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3676
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:772
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3688
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3708
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1420
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3724
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3744
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1484
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3760
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3788
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1220
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3796
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3816
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:820
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3824
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3836
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1064
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3856
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3876
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:676
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3892
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3912
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1048
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3928
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3948
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:384
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3936
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3984
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:276
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3972
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1236
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4004
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4024
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1932
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4040
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:536
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4052
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4064
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1148
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4088
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1916
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1720
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1696
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:972
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3296
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1536
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1664
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1320
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3352
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3400
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1396
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1992
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1952
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1252
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3456
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2012
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3508
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3484
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1084
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3572
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2024
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:788
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3612
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:484
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1804
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:752
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1108
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3672
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1564
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:816
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3704
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3800
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:904
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3728
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:268
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:828
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1488
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3824
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3832
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:760
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:432
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3892
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1156
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3932
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3972
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1948
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4000
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4020
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1840
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4004
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1700
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1620
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4032
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4052
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1248
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1740
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:944
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1344
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1588
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3292
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1076
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3412
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3420
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1072
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3456
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:568
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:748
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3484
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:524
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2032
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1568
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3612
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1204
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3672
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1924
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1516
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3728
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:296
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3856
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3924
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:916
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:432
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1936
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1672
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1928
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:844
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4056
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1592
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1696
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:300
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:824
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1588
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1836
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3412
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2008
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:600
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1088
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1692
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:940
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3612
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1608
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1656
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3672
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:332
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1412
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:812
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4004
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:672
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1800
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3980
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:432
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:284
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1588
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1912
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2020
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:548
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1684
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3364
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1688
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3856
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:928
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1480
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1672
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:936
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:316
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2052
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:960
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1088
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2060
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1176
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:596
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2068
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1480
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2056
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2076
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:304
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1480
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2084
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1176
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2092
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4100
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3252
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:560
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:324

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3344

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:3568

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:1300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
a7eb6a0b8d8dbce375adc25117fc6637

SHA1
61e19ddc375a09c01c48c3eb5a40318d3f841fb1

SHA256
e1862530047d9530658f32c4f54f09f2fbb75ec1f3b4788208460d24f324cf30

SHA512
427a695f440b5d261636302529ce30e2371c5035ad12cc31e0e37ca850a5a44218e637f665e73e77fed9dd50f884801b2deb81c3b8bddc191649b8f4a2a4ba59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
edc01ca2c2fcec6d5533cc5aad1f61e3

SHA1
9d89d0339d126caaa55291442dc0f6c891510171

SHA256
b6a83d27da47b92267d2b381a9ded59a39156eccfd06379d87da68022c02c209

SHA512
1bf17f26110d0f9fa937d1e724a4c0cb766ebb251da2eb09e1d4c485767f63c57d152bdf1b234ce78516570046cfa500356e720a2135a4e4de759b654403a708

Download Submit
C:\Windows\system\explorer.exe

MD5
edc01ca2c2fcec6d5533cc5aad1f61e3

SHA1
9d89d0339d126caaa55291442dc0f6c891510171

SHA256
b6a83d27da47b92267d2b381a9ded59a39156eccfd06379d87da68022c02c209

SHA512
1bf17f26110d0f9fa937d1e724a4c0cb766ebb251da2eb09e1d4c485767f63c57d152bdf1b234ce78516570046cfa500356e720a2135a4e4de759b654403a708

Download Submit
C:\Windows\system\explorer.exe

MD5
edc01ca2c2fcec6d5533cc5aad1f61e3

SHA1
9d89d0339d126caaa55291442dc0f6c891510171

SHA256
b6a83d27da47b92267d2b381a9ded59a39156eccfd06379d87da68022c02c209

SHA512
1bf17f26110d0f9fa937d1e724a4c0cb766ebb251da2eb09e1d4c485767f63c57d152bdf1b234ce78516570046cfa500356e720a2135a4e4de759b654403a708

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
C:\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\??\c:\windows\system\explorer.exe

MD5
edc01ca2c2fcec6d5533cc5aad1f61e3

SHA1
9d89d0339d126caaa55291442dc0f6c891510171

SHA256
b6a83d27da47b92267d2b381a9ded59a39156eccfd06379d87da68022c02c209

SHA512
1bf17f26110d0f9fa937d1e724a4c0cb766ebb251da2eb09e1d4c485767f63c57d152bdf1b234ce78516570046cfa500356e720a2135a4e4de759b654403a708

Download Submit
\Windows\system\explorer.exe

MD5
edc01ca2c2fcec6d5533cc5aad1f61e3

SHA1
9d89d0339d126caaa55291442dc0f6c891510171

SHA256
b6a83d27da47b92267d2b381a9ded59a39156eccfd06379d87da68022c02c209

SHA512
1bf17f26110d0f9fa937d1e724a4c0cb766ebb251da2eb09e1d4c485767f63c57d152bdf1b234ce78516570046cfa500356e720a2135a4e4de759b654403a708

Download Submit
\Windows\system\explorer.exe

MD5
edc01ca2c2fcec6d5533cc5aad1f61e3

SHA1
9d89d0339d126caaa55291442dc0f6c891510171

SHA256
b6a83d27da47b92267d2b381a9ded59a39156eccfd06379d87da68022c02c209

SHA512
1bf17f26110d0f9fa937d1e724a4c0cb766ebb251da2eb09e1d4c485767f63c57d152bdf1b234ce78516570046cfa500356e720a2135a4e4de759b654403a708

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
\Windows\system\spoolsv.exe

MD5
57ab5a362ed9e7bb3765d2d6b04a4f69

SHA1
fb0c1b4aceaa41196586e9557d3c129fc029e643

SHA256
9e83a516c3d2a669a76b83e3ec05e099c500f9827e0445c4dc29957504a08acd

SHA512
59dfb8fd145ce25fa48c35dd2f55ba2aed07d171372fb87fd4182ecb7688da825152c9bd8a3d55be6bf677962c89af3bfb793757de0db8488bb28eaa648d5ed5

Download Submit
memory/268-266-0x0000000000000000-mapping.dmp

Download
memory/276-217-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/276-212-0x0000000000000000-mapping.dmp

Download
memory/296-310-0x0000000000000000-mapping.dmp

Download
memory/324-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/324-67-0x0000000000411000-mapping.dmp

Download
memory/324-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/384-218-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/384-210-0x0000000000000000-mapping.dmp

Download
memory/524-299-0x0000000000000000-mapping.dmp

Download
memory/524-306-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/536-223-0x0000000000000000-mapping.dmp

Download
memory/536-233-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/560-86-0x0000000000411000-mapping.dmp

Download
memory/568-305-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/568-298-0x0000000000000000-mapping.dmp

Download
memory/676-206-0x0000000000000000-mapping.dmp

Download
memory/676-215-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/744-100-0x0000000000000000-mapping.dmp

Download
memory/744-109-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/760-276-0x0000000000000000-mapping.dmp

Download
memory/772-182-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/772-173-0x0000000000000000-mapping.dmp

Download
memory/788-249-0x0000000000000000-mapping.dmp

Download
memory/788-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/788-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/788-62-0x0000000000403670-mapping.dmp

Download
memory/816-262-0x0000000000000000-mapping.dmp

Download
memory/820-195-0x0000000000000000-mapping.dmp

Download
memory/820-200-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/904-264-0x0000000000000000-mapping.dmp

Download
memory/904-273-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/916-314-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/916-311-0x0000000000000000-mapping.dmp

Download
memory/952-143-0x0000000000000000-mapping.dmp

Download
memory/952-152-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/972-236-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/972-229-0x0000000000000000-mapping.dmp

Download
memory/1048-208-0x0000000000000000-mapping.dmp

Download
memory/1048-216-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1064-203-0x0000000000000000-mapping.dmp

Download
memory/1064-213-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1072-297-0x0000000000000000-mapping.dmp

Download
memory/1076-303-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1076-296-0x0000000000000000-mapping.dmp

Download
memory/1080-160-0x0000000000000000-mapping.dmp

Download
memory/1080-170-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1084-247-0x0000000000000000-mapping.dmp

Download
memory/1092-165-0x0000000000000000-mapping.dmp

Download
memory/1092-169-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1108-260-0x0000000000000000-mapping.dmp

Download
memory/1148-234-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1148-225-0x0000000000000000-mapping.dmp

Download
memory/1156-278-0x0000000000000000-mapping.dmp

Download
memory/1204-301-0x0000000000000000-mapping.dmp

Download
memory/1220-199-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1220-190-0x0000000000000000-mapping.dmp

Download
memory/1236-219-0x0000000000000000-mapping.dmp

Download
memory/1248-286-0x0000000000000000-mapping.dmp

Download
memory/1252-243-0x0000000000000000-mapping.dmp

Download
memory/1316-130-0x0000000000000000-mapping.dmp

Download
memory/1320-239-0x0000000000000000-mapping.dmp

Download
memory/1332-148-0x0000000000000000-mapping.dmp

Download
memory/1332-155-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1344-294-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1344-289-0x0000000000000000-mapping.dmp

Download
memory/1388-137-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1388-123-0x0000000000000000-mapping.dmp

Download
memory/1396-241-0x0000000000000000-mapping.dmp

Download
memory/1396-254-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1420-178-0x0000000000000000-mapping.dmp

Download
memory/1452-110-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1452-105-0x0000000000000000-mapping.dmp

Download
memory/1468-80-0x0000000000403670-mapping.dmp

Download
memory/1484-184-0x0000000000000000-mapping.dmp

Download
memory/1488-268-0x0000000000000000-mapping.dmp

Download
memory/1488-275-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1516-309-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1516-302-0x0000000000000000-mapping.dmp

Download
memory/1536-237-0x0000000000000000-mapping.dmp

Download
memory/1568-307-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1568-300-0x0000000000000000-mapping.dmp

Download
memory/1616-140-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1616-135-0x0000000000000000-mapping.dmp

Download
memory/1620-293-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1620-284-0x0000000000000000-mapping.dmp

Download
memory/1640-168-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1640-154-0x0000000000000000-mapping.dmp

Download
memory/1656-72-0x0000000000000000-mapping.dmp

Download
memory/1656-76-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1720-227-0x0000000000000000-mapping.dmp

Download
memory/1720-235-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1804-270-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1804-258-0x0000000000000000-mapping.dmp

Download
memory/1816-124-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1816-113-0x0000000000000000-mapping.dmp

Download
memory/1840-292-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1840-282-0x0000000000000000-mapping.dmp

Download
memory/1896-95-0x0000000000000000-mapping.dmp

Download
memory/1896-106-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1932-221-0x0000000000000000-mapping.dmp

Download
memory/1932-232-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1936-312-0x0000000000000000-mapping.dmp

Download
memory/1940-118-0x0000000000000000-mapping.dmp

Download
memory/1940-125-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1948-291-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1948-280-0x0000000000000000-mapping.dmp

Download
memory/2012-256-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2012-245-0x0000000000000000-mapping.dmp

Download
memory/2012-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2012-59-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download