warzonerat | 18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe
Size

1.8MB
MD5

26a323e607357eeaca1c1a916d0f482b
SHA1

71bafb7bafd2120eae1c02052efaa51cabd7591b
SHA256

18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec
SHA512

ec89c603d28dc58bbea97fd8bf2030a84efb7de47269962fe133dced0d5ff0111c82f79badb3c35bc96af56db55e94db8f0897d5703ddad1b57fbe875734869f
SSDEEP

12288:i254f/VAuj79umm3xR0lq+X6kOyeXiYxewRJBWW59qA7W2FeDSIGVH/KIDgDgUez:x+D9uVMpjOyerrFQDbGV6eH81kv

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x000c000000023b9a-19.dat	warzonerat
behavioral2/files/0x000b000000023b98-34.dat	warzonerat
behavioral2/files/0x00030000000226df-49.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
972	explorer.exe
4520	explorer.exe
1488	spoolsv.exe
3616	spoolsv.exe
1212	spoolsv.exe
3312	spoolsv.exe
3812	spoolsv.exe
3688	spoolsv.exe
4932	spoolsv.exe
464	spoolsv.exe
384	spoolsv.exe
1956	spoolsv.exe
5048	spoolsv.exe
4584	spoolsv.exe
5028	spoolsv.exe
2768	spoolsv.exe
4328	spoolsv.exe
2384	spoolsv.exe
1252	spoolsv.exe
4600	spoolsv.exe
2928	spoolsv.exe
1192	spoolsv.exe
1392	spoolsv.exe
1180	spoolsv.exe
1588	spoolsv.exe
3756	spoolsv.exe
4224	spoolsv.exe
4364	spoolsv.exe
2736	spoolsv.exe
3152	spoolsv.exe
448	spoolsv.exe
4776	spoolsv.exe
4964	spoolsv.exe
5052	spoolsv.exe
2216	spoolsv.exe
1976	spoolsv.exe
2604	spoolsv.exe
1416	spoolsv.exe
960	spoolsv.exe
3652	spoolsv.exe
4608	spoolsv.exe
3940	spoolsv.exe
2288	spoolsv.exe
2060	spoolsv.exe
3208	spoolsv.exe
3052	spoolsv.exe
2540	spoolsv.exe
3576	spoolsv.exe
4924	spoolsv.exe
3404	spoolsv.exe
5108	spoolsv.exe
2068	spoolsv.exe
3008	spoolsv.exe
1436	spoolsv.exe
4040	spoolsv.exe
1300	spoolsv.exe
2196	spoolsv.exe
2788	spoolsv.exe
1664	spoolsv.exe
8	spoolsv.exe
2676	spoolsv.exe
2156	spoolsv.exe
1948	spoolsv.exe
744	spoolsv.exe

Adds Run key to start application 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 216 set thread context of 4744	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	102
PID 216 set thread context of 4896	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	103
PID 972 set thread context of 4520	972	explorer.exe	105
PID 972 set thread context of 2680	972	explorer.exe	106
PID 1488 set thread context of 4008	1488	spoolsv.exe	341
PID 1488 set thread context of 6304	1488	spoolsv.exe	342
PID 3616 set thread context of 5116	3616	spoolsv.exe	345
PID 3616 set thread context of 1980	3616	spoolsv.exe	346
PID 1212 set thread context of 4004	1212	spoolsv.exe	348
PID 1212 set thread context of 1020	1212	spoolsv.exe	349
PID 3312 set thread context of 7180	3312	spoolsv.exe	351
PID 3312 set thread context of 7192	3312	spoolsv.exe	352
PID 3812 set thread context of 7276	3812	spoolsv.exe	354
PID 3812 set thread context of 7296	3812	spoolsv.exe	355
PID 3688 set thread context of 7352	3688	spoolsv.exe	356
PID 4932 set thread context of 7436	4932	spoolsv.exe	359
PID 4932 set thread context of 7448	4932	spoolsv.exe	360
PID 464 set thread context of 7540	464	spoolsv.exe	362
PID 384 set thread context of 7624	384	spoolsv.exe	365
PID 384 set thread context of 7636	384	spoolsv.exe	366
PID 1956 set thread context of 7728	1956	spoolsv.exe	368
PID 1956 set thread context of 7740	1956	spoolsv.exe	369
PID 5048 set thread context of 7816	5048	spoolsv.exe	371
PID 5048 set thread context of 7832	5048	spoolsv.exe	372
PID 4584 set thread context of 7904	4584	spoolsv.exe	373
PID 4584 set thread context of 7916	4584	spoolsv.exe	374
PID 5028 set thread context of 8004	5028	spoolsv.exe	376
PID 5028 set thread context of 8020	5028	spoolsv.exe	377
PID 2768 set thread context of 8104	2768	spoolsv.exe	379
PID 2768 set thread context of 8116	2768	spoolsv.exe	380
PID 4328 set thread context of 5064	4328	spoolsv.exe	382
PID 4328 set thread context of 7188	4328	spoolsv.exe	383
PID 2384 set thread context of 7312	2384	spoolsv.exe	385
PID 2384 set thread context of 7240	2384	spoolsv.exe	386
PID 1252 set thread context of 7376	1252	spoolsv.exe	387
PID 1252 set thread context of 7368	1252	spoolsv.exe	388
PID 4600 set thread context of 7484	4600	spoolsv.exe	390
PID 4600 set thread context of 7512	4600	spoolsv.exe	391
PID 2928 set thread context of 1876	2928	spoolsv.exe	392
PID 2928 set thread context of 7580	2928	spoolsv.exe	393
PID 1192 set thread context of 7720	1192	spoolsv.exe	395
PID 1392 set thread context of 7876	1392	spoolsv.exe	398
PID 1392 set thread context of 7820	1392	spoolsv.exe	399
PID 1180 set thread context of 7952	1180	spoolsv.exe	401
PID 1180 set thread context of 1592	1180	spoolsv.exe	402
PID 1588 set thread context of 8008	1588	spoolsv.exe	404
PID 1588 set thread context of 8068	1588	spoolsv.exe	405
PID 3756 set thread context of 8124	3756	spoolsv.exe	407
PID 3756 set thread context of 7172	3756	spoolsv.exe	408
PID 4224 set thread context of 7252	4224	spoolsv.exe	410
PID 4224 set thread context of 7336	4224	spoolsv.exe	411
PID 4364 set thread context of 7460	4364	spoolsv.exe	413
PID 2736 set thread context of 4052	2736	spoolsv.exe	416
PID 3152 set thread context of 1840	3152	spoolsv.exe	419
PID 3152 set thread context of 1720	3152	spoolsv.exe	420
PID 448 set thread context of 7748	448	spoolsv.exe	422
PID 448 set thread context of 7884	448	spoolsv.exe	423
PID 4776 set thread context of 8036	4776	spoolsv.exe	425
PID 4776 set thread context of 3624	4776	spoolsv.exe	426
PID 4964 set thread context of 8160	4964	spoolsv.exe	428
PID 4964 set thread context of 1816	4964	spoolsv.exe	429
PID 5052 set thread context of 4336	5052	spoolsv.exe	431
PID 5052 set thread context of 7216	5052	spoolsv.exe	432
PID 2216 set thread context of 2596	2216	spoolsv.exe	434

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4744	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe
4744	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4520	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4744	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe
4744	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4520	explorer.exe
4008	spoolsv.exe
4008	spoolsv.exe
5116	spoolsv.exe
5116	spoolsv.exe
4004	spoolsv.exe
4004	spoolsv.exe
7180	spoolsv.exe
7180	spoolsv.exe
7276	spoolsv.exe
7276	spoolsv.exe
7352	spoolsv.exe
7352	spoolsv.exe
7436	spoolsv.exe
7436	spoolsv.exe
7540	spoolsv.exe
7540	spoolsv.exe
7624	spoolsv.exe
7624	spoolsv.exe
7728	spoolsv.exe
7728	spoolsv.exe
7816	spoolsv.exe
7816	spoolsv.exe
7904	spoolsv.exe
7904	spoolsv.exe
8004	spoolsv.exe
8004	spoolsv.exe
8104	spoolsv.exe
8104	spoolsv.exe
5064	spoolsv.exe
5064	spoolsv.exe
7312	spoolsv.exe
7312	spoolsv.exe
7376	spoolsv.exe
7376	spoolsv.exe
7484	spoolsv.exe
7484	spoolsv.exe
1876	spoolsv.exe
1876	spoolsv.exe
7720	spoolsv.exe
7720	spoolsv.exe
7876	spoolsv.exe
7876	spoolsv.exe
7952	spoolsv.exe
7952	spoolsv.exe
8008	spoolsv.exe
8008	spoolsv.exe
8124	spoolsv.exe
8124	spoolsv.exe
7252	spoolsv.exe
7252	spoolsv.exe
7460	spoolsv.exe
7460	spoolsv.exe
4052	spoolsv.exe
4052	spoolsv.exe
1840	spoolsv.exe
1840	spoolsv.exe
7748	spoolsv.exe
7748	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 4744	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	102
PID 216 wrote to memory of 4744	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	102
PID 216 wrote to memory of 4744	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	102
PID 216 wrote to memory of 4744	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	102
PID 216 wrote to memory of 4744	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	102
PID 216 wrote to memory of 4744	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	102
PID 216 wrote to memory of 4744	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	102
PID 216 wrote to memory of 4744	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	102
PID 216 wrote to memory of 4896	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	103
PID 216 wrote to memory of 4896	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	103
PID 216 wrote to memory of 4896	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	103
PID 216 wrote to memory of 4896	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	103
PID 216 wrote to memory of 4896	216	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	103
PID 4744 wrote to memory of 972	4744	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	104
PID 4744 wrote to memory of 972	4744	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	104
PID 4744 wrote to memory of 972	4744	18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe	104
PID 972 wrote to memory of 4520	972	explorer.exe	105
PID 972 wrote to memory of 4520	972	explorer.exe	105
PID 972 wrote to memory of 4520	972	explorer.exe	105
PID 972 wrote to memory of 4520	972	explorer.exe	105
PID 972 wrote to memory of 4520	972	explorer.exe	105
PID 972 wrote to memory of 4520	972	explorer.exe	105
PID 972 wrote to memory of 4520	972	explorer.exe	105
PID 972 wrote to memory of 4520	972	explorer.exe	105
PID 972 wrote to memory of 2680	972	explorer.exe	106
PID 972 wrote to memory of 2680	972	explorer.exe	106
PID 972 wrote to memory of 2680	972	explorer.exe	106
PID 972 wrote to memory of 2680	972	explorer.exe	106
PID 972 wrote to memory of 2680	972	explorer.exe	106
PID 4520 wrote to memory of 1488	4520	explorer.exe	107
PID 4520 wrote to memory of 1488	4520	explorer.exe	107
PID 4520 wrote to memory of 1488	4520	explorer.exe	107
PID 4520 wrote to memory of 3616	4520	explorer.exe	108
PID 4520 wrote to memory of 3616	4520	explorer.exe	108
PID 4520 wrote to memory of 3616	4520	explorer.exe	108
PID 4520 wrote to memory of 1212	4520	explorer.exe	109
PID 4520 wrote to memory of 1212	4520	explorer.exe	109
PID 4520 wrote to memory of 1212	4520	explorer.exe	109
PID 4520 wrote to memory of 3312	4520	explorer.exe	110
PID 4520 wrote to memory of 3312	4520	explorer.exe	110
PID 4520 wrote to memory of 3312	4520	explorer.exe	110
PID 4520 wrote to memory of 3812	4520	explorer.exe	111
PID 4520 wrote to memory of 3812	4520	explorer.exe	111
PID 4520 wrote to memory of 3812	4520	explorer.exe	111
PID 4520 wrote to memory of 3688	4520	explorer.exe	112
PID 4520 wrote to memory of 3688	4520	explorer.exe	112
PID 4520 wrote to memory of 3688	4520	explorer.exe	112
PID 4520 wrote to memory of 4932	4520	explorer.exe	113
PID 4520 wrote to memory of 4932	4520	explorer.exe	113
PID 4520 wrote to memory of 4932	4520	explorer.exe	113
PID 4520 wrote to memory of 464	4520	explorer.exe	114
PID 4520 wrote to memory of 464	4520	explorer.exe	114
PID 4520 wrote to memory of 464	4520	explorer.exe	114
PID 4520 wrote to memory of 384	4520	explorer.exe	115
PID 4520 wrote to memory of 384	4520	explorer.exe	115
PID 4520 wrote to memory of 384	4520	explorer.exe	115
PID 4520 wrote to memory of 1956	4520	explorer.exe	116
PID 4520 wrote to memory of 1956	4520	explorer.exe	116
PID 4520 wrote to memory of 1956	4520	explorer.exe	116
PID 4520 wrote to memory of 5048	4520	explorer.exe	117
PID 4520 wrote to memory of 5048	4520	explorer.exe	117
PID 4520 wrote to memory of 5048	4520	explorer.exe	117
PID 4520 wrote to memory of 4584	4520	explorer.exe	118
PID 4520 wrote to memory of 4584	4520	explorer.exe	118

C:\Users\Admin\AppData\Local\Temp\18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe
"C:\Users\Admin\AppData\Local\Temp\18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe
  "C:\Users\Admin\AppData\Local\Temp\18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4744
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:972
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1488
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4008
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1908
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3616
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5116
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2128
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1212
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4004
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4664
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3312
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7180
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7256
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3812
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7276
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3688
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7352
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7396
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4932
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7436
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7504
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:464
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7540
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7588
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:384
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:7624
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7672
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1956
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7728
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7776
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:5048
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7816
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4584
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7904
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7964
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:5028
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8004
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8072
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2768
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8104
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8164
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4328
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7244
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2384
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7312
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1252
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7376
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7472
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4600
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7484
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2928
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7688
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1192
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7720
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7768
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1392
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7876
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7896
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1180
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7952
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8044
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1588
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:8008
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2476
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3756
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8124
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7304
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4224
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7252
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7380
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4364
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:7460
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7528
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2736
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4052
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7596
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3152
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7716
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:448
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:7748
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7808
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4776
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8036
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8100
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4964
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8160
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7316
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5052
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4336
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1756
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2216
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2688
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1976
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7632
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2604
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7796
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1416
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8740
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8804
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:960
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8844
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8912
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3652
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:8948
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:9008
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4608
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:9048
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:9116
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:9060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3940
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:9148
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:184
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:9160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2288
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8776
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8828
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2060
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8868
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3180
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3208
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8988
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8676
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:9000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3052
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:9096
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8672
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:9180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2540
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8688
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2464
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3576
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8876
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1892
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4924
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8680
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:9040
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3404
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:392
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4728
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5108
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1448
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2144
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2068
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4260
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4344
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3008
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:736
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1436
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3316
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8984
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4040
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8952
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1492
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:9156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1300
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2012
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:544
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2196
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8664
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3964
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2788
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1372
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1576
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1664
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:9136
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1656
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:8
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8636
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1440
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2676
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3672
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1712
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2156
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5196
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5380
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1948
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5544
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8604
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:744
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2108
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4188
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1512
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1292
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8596
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3196
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2412
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5532
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2520
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5712
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1960
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5724
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8768
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:860
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:396
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5660
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4340
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8628
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8592
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2268
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5840
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4384
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4068
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3212
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2956
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4484
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:908
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2880
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:468
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5864
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1428
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4992
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3500
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1604
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3320
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2436
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8940
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3488
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:64
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5576
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6760
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:2680
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
1.8MB

MD5
26a323e607357eeaca1c1a916d0f482b

SHA1
71bafb7bafd2120eae1c02052efaa51cabd7591b

SHA256
18e076bb22939c001cf86555fccb5ceb1249344a557f541a86d7c985357342ec

SHA512
ec89c603d28dc58bbea97fd8bf2030a84efb7de47269962fe133dced0d5ff0111c82f79badb3c35bc96af56db55e94db8f0897d5703ddad1b57fbe875734869f

Download Submit
C:\Windows\System\explorer.exe

Filesize
1.8MB

MD5
7191f1634d882095cdac504bed70fdbc

SHA1
b91c0d1b806abf84a436c47f4c999627eb7ed113

SHA256
987c7efd1f9457159d72e7fb9e7752332d5d08cfaf8e0e7277079a0fc7e36eb6

SHA512
745336d6f03b7ea26edf4df2c0e2e2221b6d95a17363190c9bcac9ceb9f77f10f2c7aae8bed12cf593a7c42c99da5a0059d1735a1bfe996d63409dc04b95fd83

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.8MB

MD5
04791d5d22b5a117a7c2ed369f6645ce

SHA1
44be4e149753d6f53800bb5c3cf629428f5a8ee1

SHA256
9317c6e873c20dc0abff24dfd3a08a1623cbfbdd8ba462395cd279c404a63694

SHA512
84ddd72d1e24516b55c54dda0a56da22eda107ceded63803e782f76310de3aa7f6a4727e5f40e02102b405b6d3727e18a8e14e73b2c712830f77c74380a4aabf

Download Submit
memory/8-185-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/216-1-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/216-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/216-3-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/216-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/216-17-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/384-82-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/448-128-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/464-80-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/464-61-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/468-191-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/744-189-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/960-123-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/960-148-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/972-23-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/972-24-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/972-27-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/972-45-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1180-110-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1192-106-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1212-70-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1252-100-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1300-180-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1300-163-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1392-108-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1392-88-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1416-146-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1416-120-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1436-178-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1488-65-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1512-190-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1588-112-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1664-170-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1664-184-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1948-188-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1956-85-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1960-195-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1976-141-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2060-136-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2060-158-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2068-175-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2156-187-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2156-176-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2196-182-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2216-138-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2288-156-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2384-98-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2540-165-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2604-144-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2676-186-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2676-174-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2680-43-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2736-122-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2768-94-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2788-183-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2928-104-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2928-83-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3008-177-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3052-162-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3052-142-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3152-125-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3196-181-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3196-193-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3208-139-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3208-160-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3312-72-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3404-172-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3576-167-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3616-67-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3652-150-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3652-126-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3688-76-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3756-114-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3812-74-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3940-154-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3940-131-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4004-258-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4004-259-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4008-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4040-179-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4224-116-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4228-194-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4328-96-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4364-119-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4520-36-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4520-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4584-68-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4584-90-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4600-102-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4608-152-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4744-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4744-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4744-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4776-130-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4896-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4896-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4896-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4924-169-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4932-78-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4964-133-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5028-92-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5048-87-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5052-135-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5108-173-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5116-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7276-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7352-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7436-296-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7540-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7624-314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download