warzonerat | e1862530047d9530658f32c4f54f09f2fbb75ec1f3b4788208460d24f324cf30

Analysis

max time kernel
150s
max time network
116s
platform
windows10_x64
resource
win10v20210410
submitted
18-06-2021 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sinners_and_saints.exe
Size

1.8MB
MD5

a7eb6a0b8d8dbce375adc25117fc6637
SHA1

61e19ddc375a09c01c48c3eb5a40318d3f841fb1
SHA256

e1862530047d9530658f32c4f54f09f2fbb75ec1f3b4788208460d24f324cf30
SHA512

427a695f440b5d261636302529ce30e2371c5035ad12cc31e0e37ca850a5a44218e637f665e73e77fed9dd50f884801b2deb81c3b8bddc191649b8f4a2a4ba59

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 64 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3120	explorer.exe
1536	explorer.exe
2760	spoolsv.exe
2136	spoolsv.exe
528	spoolsv.exe
3940	spoolsv.exe
3924	spoolsv.exe
2632	spoolsv.exe
2628	spoolsv.exe
2104	spoolsv.exe
728	spoolsv.exe
2992	spoolsv.exe
4056	spoolsv.exe
3236	spoolsv.exe
3516	spoolsv.exe
216	spoolsv.exe
2332	spoolsv.exe
184	spoolsv.exe
1208	spoolsv.exe
780	spoolsv.exe
1372	spoolsv.exe
2612	spoolsv.exe
2000	spoolsv.exe
1472	spoolsv.exe
2180	spoolsv.exe
3260	spoolsv.exe
4084	spoolsv.exe
3936	spoolsv.exe
3680	spoolsv.exe
412	spoolsv.exe
4072	spoolsv.exe
864	spoolsv.exe
732	spoolsv.exe
2336	spoolsv.exe
3284	spoolsv.exe
3572	spoolsv.exe
4016	spoolsv.exe
648	spoolsv.exe
400	spoolsv.exe
2888	spoolsv.exe
4064	spoolsv.exe
2512	spoolsv.exe
3100	spoolsv.exe
2608	spoolsv.exe
1232	spoolsv.exe
2240	spoolsv.exe
3112	spoolsv.exe
2660	spoolsv.exe
2260	spoolsv.exe
1364	spoolsv.exe
2124	spoolsv.exe
4132	spoolsv.exe
4156	spoolsv.exe
4180	spoolsv.exe
4204	spoolsv.exe
4244	spoolsv.exe
4268	spoolsv.exe
4292	spoolsv.exe
4316	spoolsv.exe
4356	spoolsv.exe
4380	spoolsv.exe
4400	spoolsv.exe
4420	spoolsv.exe
4436	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesinners_and_saints.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	sinners_and_saints.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

sinners_and_saints.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 3244 set thread context of 400	3244	sinners_and_saints.exe	sinners_and_saints.exe
PID 3244 set thread context of 1432	3244	sinners_and_saints.exe	diskperf.exe
PID 3120 set thread context of 1536	3120	explorer.exe	explorer.exe
PID 3120 set thread context of 3396	3120	explorer.exe	diskperf.exe
PID 2760 set thread context of 1368	2760	spoolsv.exe	spoolsv.exe
PID 2760 set thread context of 1312	2760	spoolsv.exe	diskperf.exe
PID 2136 set thread context of 7252	2136	spoolsv.exe	spoolsv.exe
PID 528 set thread context of 7316	528	spoolsv.exe	spoolsv.exe
PID 528 set thread context of 7340	528	spoolsv.exe	diskperf.exe
PID 3940 set thread context of 7380	3940	spoolsv.exe	spoolsv.exe
PID 3924 set thread context of 7416	3924	spoolsv.exe	spoolsv.exe
PID 2632 set thread context of 7484	2632	spoolsv.exe	spoolsv.exe
PID 2632 set thread context of 7500	2632	spoolsv.exe	diskperf.exe
PID 2628 set thread context of 7528	2628	spoolsv.exe	spoolsv.exe
PID 2104 set thread context of 7552	2104	spoolsv.exe	spoolsv.exe
PID 2628 set thread context of 7608	2628	spoolsv.exe	diskperf.exe
PID 728 set thread context of 7656	728	spoolsv.exe	spoolsv.exe
PID 2992 set thread context of 7676	2992	spoolsv.exe	spoolsv.exe
PID 728 set thread context of 7692	728	spoolsv.exe	diskperf.exe
PID 2992 set thread context of 7720	2992	spoolsv.exe	diskperf.exe
PID 4056 set thread context of 7748	4056	spoolsv.exe	spoolsv.exe
PID 4056 set thread context of 7764	4056	spoolsv.exe	diskperf.exe
PID 3236 set thread context of 7788	3236	spoolsv.exe	spoolsv.exe
PID 3236 set thread context of 7796	3236	spoolsv.exe	diskperf.exe
PID 3516 set thread context of 7844	3516	spoolsv.exe	spoolsv.exe
PID 3516 set thread context of 7852	3516	spoolsv.exe	diskperf.exe
PID 216 set thread context of 7900	216	spoolsv.exe	spoolsv.exe
PID 216 set thread context of 7912	216	spoolsv.exe	diskperf.exe
PID 2332 set thread context of 7956	2332	spoolsv.exe	spoolsv.exe
PID 2332 set thread context of 7968	2332	spoolsv.exe	diskperf.exe
PID 184 set thread context of 8012	184	spoolsv.exe	spoolsv.exe
PID 184 set thread context of 8036	184	spoolsv.exe	diskperf.exe
PID 1208 set thread context of 8068	1208	spoolsv.exe	spoolsv.exe
PID 1208 set thread context of 8080	1208	spoolsv.exe	diskperf.exe
PID 780 set thread context of 8128	780	spoolsv.exe	spoolsv.exe
PID 780 set thread context of 8136	780	spoolsv.exe	diskperf.exe
PID 1372 set thread context of 8184	1372	spoolsv.exe	spoolsv.exe
PID 1372 set thread context of 2508	1372	spoolsv.exe	diskperf.exe
PID 2612 set thread context of 7220	2612	spoolsv.exe	spoolsv.exe
PID 2000 set thread context of 3104	2000	spoolsv.exe	spoolsv.exe
PID 1472 set thread context of 7356	1472	spoolsv.exe	spoolsv.exe
PID 1472 set thread context of 7368	1472	spoolsv.exe	diskperf.exe
PID 2180 set thread context of 7412	2180	spoolsv.exe	spoolsv.exe
PID 2180 set thread context of 3324	2180	spoolsv.exe	diskperf.exe
PID 3260 set thread context of 7408	3260	spoolsv.exe	spoolsv.exe
PID 3260 set thread context of 7420	3260	spoolsv.exe	diskperf.exe
PID 4084 set thread context of 7536	4084	spoolsv.exe	spoolsv.exe
PID 4084 set thread context of 2160	4084	spoolsv.exe	diskperf.exe
PID 3936 set thread context of 4412	3936	spoolsv.exe	spoolsv.exe
PID 3936 set thread context of 4408	3936	spoolsv.exe	diskperf.exe
PID 3680 set thread context of 7640	3680	spoolsv.exe	spoolsv.exe
PID 3680 set thread context of 7496	3680	spoolsv.exe	diskperf.exe
PID 412 set thread context of 4040	412	spoolsv.exe	spoolsv.exe
PID 4072 set thread context of 7680	4072	spoolsv.exe	spoolsv.exe
PID 4072 set thread context of 7708	4072	spoolsv.exe	diskperf.exe
PID 864 set thread context of 7736	864	spoolsv.exe	spoolsv.exe
PID 864 set thread context of 7748	864	spoolsv.exe	diskperf.exe
PID 732 set thread context of 7820	732	spoolsv.exe	spoolsv.exe
PID 732 set thread context of 7788	732	spoolsv.exe	diskperf.exe
PID 2336 set thread context of 7860	2336	spoolsv.exe	spoolsv.exe
PID 3284 set thread context of 7908	3284	spoolsv.exe	spoolsv.exe
PID 3284 set thread context of 2276	3284	spoolsv.exe	diskperf.exe
PID 3572 set thread context of 4612	3572	spoolsv.exe	spoolsv.exe
PID 3572 set thread context of 2188	3572	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

explorer.exespoolsv.exesinners_and_saints.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	sinners_and_saints.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sinners_and_saints.exeexplorer.exe

pid	process
400	sinners_and_saints.exe
400	sinners_and_saints.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1536 explorer.exe

pid	process
1536	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
400	sinners_and_saints.exe
400	sinners_and_saints.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1536	explorer.exe
1368	spoolsv.exe
1368	spoolsv.exe
7252	spoolsv.exe
7252	spoolsv.exe
7316	spoolsv.exe
7316	spoolsv.exe
7380	spoolsv.exe
7380	spoolsv.exe
7416	spoolsv.exe
7416	spoolsv.exe
7484	spoolsv.exe
7484	spoolsv.exe
7528	spoolsv.exe
7552	spoolsv.exe
7528	spoolsv.exe
7552	spoolsv.exe
7656	spoolsv.exe
7656	spoolsv.exe
7676	spoolsv.exe
7676	spoolsv.exe
7748	spoolsv.exe
7748	spoolsv.exe
7788	spoolsv.exe
7788	spoolsv.exe
7844	spoolsv.exe
7844	spoolsv.exe
7900	spoolsv.exe
7900	spoolsv.exe
7956	spoolsv.exe
7956	spoolsv.exe
8012	spoolsv.exe
8012	spoolsv.exe
8068	spoolsv.exe
8068	spoolsv.exe
8128	spoolsv.exe
8128	spoolsv.exe
8184	spoolsv.exe
8184	spoolsv.exe
7220	spoolsv.exe
7220	spoolsv.exe
3104	spoolsv.exe
3104	spoolsv.exe
7356	spoolsv.exe
7356	spoolsv.exe
7412	spoolsv.exe
7412	spoolsv.exe
7408	spoolsv.exe
7408	spoolsv.exe
7536	spoolsv.exe
7536	spoolsv.exe
4412	spoolsv.exe
4412	spoolsv.exe
7640	spoolsv.exe
7640	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
7680	spoolsv.exe
7680	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sinners_and_saints.exesinners_and_saints.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 3244 wrote to memory of 400	3244	sinners_and_saints.exe	sinners_and_saints.exe
PID 3244 wrote to memory of 400	3244	sinners_and_saints.exe	sinners_and_saints.exe
PID 3244 wrote to memory of 400	3244	sinners_and_saints.exe	sinners_and_saints.exe
PID 3244 wrote to memory of 400	3244	sinners_and_saints.exe	sinners_and_saints.exe
PID 3244 wrote to memory of 400	3244	sinners_and_saints.exe	sinners_and_saints.exe
PID 3244 wrote to memory of 400	3244	sinners_and_saints.exe	sinners_and_saints.exe
PID 3244 wrote to memory of 400	3244	sinners_and_saints.exe	sinners_and_saints.exe
PID 3244 wrote to memory of 400	3244	sinners_and_saints.exe	sinners_and_saints.exe
PID 3244 wrote to memory of 1432	3244	sinners_and_saints.exe	diskperf.exe
PID 3244 wrote to memory of 1432	3244	sinners_and_saints.exe	diskperf.exe
PID 3244 wrote to memory of 1432	3244	sinners_and_saints.exe	diskperf.exe
PID 3244 wrote to memory of 1432	3244	sinners_and_saints.exe	diskperf.exe
PID 3244 wrote to memory of 1432	3244	sinners_and_saints.exe	diskperf.exe
PID 400 wrote to memory of 3120	400	sinners_and_saints.exe	explorer.exe
PID 400 wrote to memory of 3120	400	sinners_and_saints.exe	explorer.exe
PID 400 wrote to memory of 3120	400	sinners_and_saints.exe	explorer.exe
PID 3120 wrote to memory of 1536	3120	explorer.exe	explorer.exe
PID 3120 wrote to memory of 1536	3120	explorer.exe	explorer.exe
PID 3120 wrote to memory of 1536	3120	explorer.exe	explorer.exe
PID 3120 wrote to memory of 1536	3120	explorer.exe	explorer.exe
PID 3120 wrote to memory of 1536	3120	explorer.exe	explorer.exe
PID 3120 wrote to memory of 1536	3120	explorer.exe	explorer.exe
PID 3120 wrote to memory of 1536	3120	explorer.exe	explorer.exe
PID 3120 wrote to memory of 1536	3120	explorer.exe	explorer.exe
PID 3120 wrote to memory of 3396	3120	explorer.exe	diskperf.exe
PID 3120 wrote to memory of 3396	3120	explorer.exe	diskperf.exe
PID 3120 wrote to memory of 3396	3120	explorer.exe	diskperf.exe
PID 3120 wrote to memory of 3396	3120	explorer.exe	diskperf.exe
PID 3120 wrote to memory of 3396	3120	explorer.exe	diskperf.exe
PID 1536 wrote to memory of 2760	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2760	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2760	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2136	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2136	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2136	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 528	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 528	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 528	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 3940	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 3940	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 3940	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 3924	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 3924	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 3924	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2632	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2632	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2632	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2628	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2628	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2628	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2104	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2104	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2104	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 728	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 728	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 728	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2992	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2992	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 2992	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 4056	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 4056	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 4056	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 3236	1536	explorer.exe	spoolsv.exe
PID 1536 wrote to memory of 3236	1536	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\sinners_and_saints.exe
"C:\Users\Admin\AppData\Local\Temp\sinners_and_saints.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Users\Admin\AppData\Local\Temp\sinners_and_saints.exe
  "C:\Users\Admin\AppData\Local\Temp\sinners_and_saints.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:400
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2760
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1368
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7232
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2136
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7252
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7300
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:528
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7316
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3940
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7380
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7456
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3924
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7416
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2632
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7484
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7580
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2628
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7528
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2104
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7552
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:728
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7656
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2992
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7720
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4056
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7764
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3236
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7788
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7812
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3516
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7844
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7872
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:216
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7900
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7932
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2332
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7956
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7984
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:184
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8012
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8028
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1208
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8068
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8104
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:780
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8128
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8160
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1372
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8184
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7208
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2612
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7220
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7328
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2000
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3104
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1472
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7356
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7332
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2180
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7412
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1112
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3260
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7408
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2532
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4084
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7536
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4396
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3936
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4412
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2200
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3680
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7640
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4444
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:412
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4040
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3188
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4072
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7680
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3276
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:864
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7736
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:732
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7820
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4028
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2336
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7860
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7944
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3284
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7908
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7996
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3572
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4612
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8024
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4016
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2316
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:648
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8076
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8132
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4264
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:400
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3952
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4076
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2888
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1920
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:696
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4064
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7176
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2664
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2512
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1680
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2564
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3100
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4756
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7360
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2608
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2352
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4812
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1232
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7516
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:584
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2240
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7596
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3900
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3112
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4412
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4904
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2660
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3412
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7704
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2260
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4960
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1816
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1364
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7736
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2288
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2124
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7888
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5020
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4132
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7904
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3424
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5068
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4156
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4596
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4616
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4180
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2184
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5084
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4204
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:592
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4680
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4244
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3696
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8188
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4268
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4240
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4256
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4292
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4304
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4344
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4316
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1680
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5128
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4356
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7364
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7400
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4380
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2352
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5180
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4400
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7432
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4420
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4392
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5212
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4436
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5228
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4456
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5260
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4472
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4488
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5296
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5312
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4508
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4504
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2716
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4524
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4120
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4540
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4556
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4564
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4572
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7908
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4588
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5432
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4604
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4124
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4620
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8068
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4636
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3952
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4652
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5516
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4668
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3240
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2652
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4684
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4332
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4700
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4336
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4716
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4360
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4732
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2724
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5640
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4748
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1808
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4768
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4424
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:756
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4784
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5244
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4800
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5720
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4816
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5280
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4832
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4500
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4848
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5296
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4120
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4864
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2728
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4880
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7904
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4916
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5856
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7196
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:3396
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:1432

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:2184

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
1⤵
PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
a7eb6a0b8d8dbce375adc25117fc6637

SHA1
61e19ddc375a09c01c48c3eb5a40318d3f841fb1

SHA256
e1862530047d9530658f32c4f54f09f2fbb75ec1f3b4788208460d24f324cf30

SHA512
427a695f440b5d261636302529ce30e2371c5035ad12cc31e0e37ca850a5a44218e637f665e73e77fed9dd50f884801b2deb81c3b8bddc191649b8f4a2a4ba59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
8d8096a9ff8de6e43d5c7d679ff2fcf0

SHA1
f4f4c546f9135c355e3ae96014389567d9c5e994

SHA256
f93320c086acf4b26668e0b95a33af58bff04803f0a213e906ddaf3000d3bff6

SHA512
4643ec22af43d8b52ca311b21dfe7fc33f3c254fb105f0c0a268447390ee9f225655590072ffc2ffa979b518c62a479a82fb60bd239989614a322c8854f9a5b8

Download Submit
C:\Windows\System\explorer.exe

MD5
8d8096a9ff8de6e43d5c7d679ff2fcf0

SHA1
f4f4c546f9135c355e3ae96014389567d9c5e994

SHA256
f93320c086acf4b26668e0b95a33af58bff04803f0a213e906ddaf3000d3bff6

SHA512
4643ec22af43d8b52ca311b21dfe7fc33f3c254fb105f0c0a268447390ee9f225655590072ffc2ffa979b518c62a479a82fb60bd239989614a322c8854f9a5b8

Download Submit
C:\Windows\System\explorer.exe

MD5
8d8096a9ff8de6e43d5c7d679ff2fcf0

SHA1
f4f4c546f9135c355e3ae96014389567d9c5e994

SHA256
f93320c086acf4b26668e0b95a33af58bff04803f0a213e906ddaf3000d3bff6

SHA512
4643ec22af43d8b52ca311b21dfe7fc33f3c254fb105f0c0a268447390ee9f225655590072ffc2ffa979b518c62a479a82fb60bd239989614a322c8854f9a5b8

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
C:\Windows\System\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
\??\c:\windows\system\explorer.exe

MD5
8d8096a9ff8de6e43d5c7d679ff2fcf0

SHA1
f4f4c546f9135c355e3ae96014389567d9c5e994

SHA256
f93320c086acf4b26668e0b95a33af58bff04803f0a213e906ddaf3000d3bff6

SHA512
4643ec22af43d8b52ca311b21dfe7fc33f3c254fb105f0c0a268447390ee9f225655590072ffc2ffa979b518c62a479a82fb60bd239989614a322c8854f9a5b8

Download Submit
\??\c:\windows\system\spoolsv.exe

MD5
0858babfea4744b8987a8b9406b0ae04

SHA1
091bc004ca89b1bd7bd5d482f7c147cdc245c093

SHA256
f346503f1a93ae5a40dbc637a1846c4b39a9fc11a4f92b1732d6df034921426a

SHA512
70b77f71db0c914b0152e041da8efdaf3ec0e3e5068b558d83da6587196a1e7f9fbe10114c3ffe4821ecb28fd608773ebbe3d69d4efcec450e64267377806bdb

Download Submit
memory/184-192-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/184-187-0x0000000000000000-mapping.dmp

Download
memory/216-190-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/216-183-0x0000000000000000-mapping.dmp

Download
memory/400-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/400-262-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/400-116-0x0000000000403670-mapping.dmp

Download
memory/400-252-0x0000000000000000-mapping.dmp

Download
memory/412-233-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/412-224-0x0000000000000000-mapping.dmp

Download
memory/528-153-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/528-149-0x0000000000000000-mapping.dmp

Download
memory/648-250-0x0000000000000000-mapping.dmp

Download
memory/728-169-0x0000000000000000-mapping.dmp

Download
memory/728-177-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/732-235-0x0000000000000000-mapping.dmp

Download
memory/732-245-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/780-203-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/780-195-0x0000000000000000-mapping.dmp

Download
memory/864-228-0x0000000000000000-mapping.dmp

Download
memory/864-231-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1208-193-0x0000000000000000-mapping.dmp

Download
memory/1208-201-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1232-275-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/1232-269-0x0000000000000000-mapping.dmp

Download
memory/1364-291-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1364-283-0x0000000000000000-mapping.dmp

Download
memory/1372-206-0x0000000000570000-0x000000000061E000-memory.dmp

Filesize
696KB

Download
memory/1372-197-0x0000000000000000-mapping.dmp

Download
memory/1432-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1432-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1432-118-0x0000000000411000-mapping.dmp

Download
memory/1472-208-0x0000000000000000-mapping.dmp

Download
memory/1472-216-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1536-131-0x0000000000403670-mapping.dmp

Download
memory/2000-202-0x0000000000000000-mapping.dmp

Download
memory/2000-205-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2104-162-0x0000000000000000-mapping.dmp

Download
memory/2104-166-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2124-289-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2124-286-0x0000000000000000-mapping.dmp

Download
memory/2136-147-0x0000000000000000-mapping.dmp

Download
memory/2136-152-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2180-218-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/2180-210-0x0000000000000000-mapping.dmp

Download
memory/2240-271-0x0000000000000000-mapping.dmp

Download
memory/2240-276-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2260-281-0x0000000000000000-mapping.dmp

Download
memory/2260-290-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/2332-185-0x0000000000000000-mapping.dmp

Download
memory/2332-191-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/2336-237-0x0000000000000000-mapping.dmp

Download
memory/2336-247-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/2512-258-0x0000000000000000-mapping.dmp

Download
memory/2512-261-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2608-267-0x0000000000000000-mapping.dmp

Download
memory/2612-199-0x0000000000000000-mapping.dmp

Download
memory/2612-207-0x0000000000610000-0x000000000075A000-memory.dmp

Filesize
1.3MB

Download
memory/2628-160-0x0000000000000000-mapping.dmp

Download
memory/2628-168-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2632-158-0x0000000000000000-mapping.dmp

Download
memory/2632-167-0x0000000000580000-0x000000000062E000-memory.dmp

Filesize
696KB

Download
memory/2660-287-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2660-279-0x0000000000000000-mapping.dmp

Download
memory/2760-144-0x0000000000000000-mapping.dmp

Download
memory/2760-151-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/2888-254-0x0000000000000000-mapping.dmp

Download
memory/2888-263-0x0000000000650000-0x000000000079A000-memory.dmp

Filesize
1.3MB

Download
memory/2992-179-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/2992-171-0x0000000000000000-mapping.dmp

Download
memory/3100-273-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3100-264-0x0000000000000000-mapping.dmp

Download
memory/3112-277-0x0000000000000000-mapping.dmp

Download
memory/3112-285-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3120-124-0x0000000000000000-mapping.dmp

Download
memory/3120-129-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3236-175-0x0000000000000000-mapping.dmp

Download
memory/3236-178-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3244-114-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3260-212-0x0000000000000000-mapping.dmp

Download
memory/3260-219-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3284-239-0x0000000000000000-mapping.dmp

Download
memory/3284-248-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3396-137-0x0000000000411000-mapping.dmp

Download
memory/3516-181-0x0000000000000000-mapping.dmp

Download
memory/3516-189-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3572-249-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3572-241-0x0000000000000000-mapping.dmp

Download
memory/3680-222-0x0000000000000000-mapping.dmp

Download
memory/3680-232-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/3924-156-0x0000000000000000-mapping.dmp

Download
memory/3924-165-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3936-220-0x0000000000000000-mapping.dmp

Download
memory/3936-229-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/3940-164-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3940-154-0x0000000000000000-mapping.dmp

Download
memory/4016-246-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4016-243-0x0000000000000000-mapping.dmp

Download
memory/4056-173-0x0000000000000000-mapping.dmp

Download
memory/4056-180-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4064-256-0x0000000000000000-mapping.dmp

Download
memory/4064-265-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4072-226-0x0000000000000000-mapping.dmp

Download
memory/4072-234-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4084-217-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/4084-214-0x0000000000000000-mapping.dmp

Download
memory/4132-292-0x0000000000000000-mapping.dmp

Download
memory/4132-300-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4156-302-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/4156-294-0x0000000000000000-mapping.dmp

Download
memory/4180-296-0x0000000000000000-mapping.dmp

Download
memory/4180-303-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4204-301-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4204-298-0x0000000000000000-mapping.dmp

Download
memory/4244-304-0x0000000000000000-mapping.dmp

Download
memory/4244-312-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4268-306-0x0000000000000000-mapping.dmp

Download
memory/4268-313-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/4292-314-0x0000000000640000-0x000000000078A000-memory.dmp

Filesize
1.3MB

Download
memory/4292-308-0x0000000000000000-mapping.dmp

Download
memory/4316-310-0x0000000000000000-mapping.dmp

Download
memory/4316-315-0x0000000000660000-0x00000000007AA000-memory.dmp

Filesize
1.3MB

Download
memory/4356-316-0x0000000000000000-mapping.dmp

Download
memory/4356-319-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/4380-318-0x0000000000000000-mapping.dmp

Download