warzonerat | 7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da

Analysis

max time kernel
136s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-01-2025 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe
Size

1.8MB
MD5

82a7909578880d6efe98bfe5e4a68458
SHA1

0681fdfda49ca927373ac5518a9cba4c5089c3f9
SHA256

7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da
SHA512

a9d758c937f50db942fd2f6937278eafebb28796ccc3491fa0a1ba1191a4fe6fdbd598b9e5313436b5bde112e35cb6e63e0b00425eda2a34b3020ca596a54840
SSDEEP

12288:BUrjP8Xuc2UY0B8TIwDDMistJ6gicRzubSFJeOgTpBA7W2FeDSIGVH/KIDgDgUeQ:ujjSYIUDJ86giGTPQDbGV6eH81kM

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x000800000001867d-34.dat	warzonerat
behavioral1/files/0x00080000000174bf-64.dat	warzonerat
behavioral1/files/0x000700000001878d-79.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
2584	explorer.exe
1616	explorer.exe
2160	spoolsv.exe
2112	spoolsv.exe
2264	spoolsv.exe
2284	spoolsv.exe
444	spoolsv.exe
2408	spoolsv.exe
620	spoolsv.exe
964	spoolsv.exe
784	spoolsv.exe
1280	spoolsv.exe
2000	spoolsv.exe
2988	spoolsv.exe
1980	spoolsv.exe
2068	spoolsv.exe
2304	spoolsv.exe
2136	spoolsv.exe
1528	spoolsv.exe
2788	spoolsv.exe
2572	spoolsv.exe
2564	spoolsv.exe
3012	spoolsv.exe
2608	spoolsv.exe
2956	spoolsv.exe
2360	spoolsv.exe
568	spoolsv.exe
944	spoolsv.exe
1016	spoolsv.exe
2348	spoolsv.exe
1376	spoolsv.exe
2276	spoolsv.exe
2760	spoolsv.exe
3068	spoolsv.exe
772	spoolsv.exe
588	spoolsv.exe
1636	spoolsv.exe
1000	spoolsv.exe
2216	spoolsv.exe
1456	spoolsv.exe
1412	spoolsv.exe
1704	spoolsv.exe
804	spoolsv.exe
1556	spoolsv.exe
952	spoolsv.exe
1744	spoolsv.exe
2428	spoolsv.exe
2868	spoolsv.exe
856	spoolsv.exe
1324	spoolsv.exe
2888	spoolsv.exe
2920	spoolsv.exe
1720	spoolsv.exe
644	spoolsv.exe
2448	spoolsv.exe
2996	spoolsv.exe
2732	spoolsv.exe
1548	spoolsv.exe
2156	spoolsv.exe
2776	spoolsv.exe
1424	spoolsv.exe
564	spoolsv.exe
2804	spoolsv.exe
2228	spoolsv.exe

Loads dropped DLL 64 IoCs

pid	Process
2540	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe
2540	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe

Adds Run key to start application 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2736 set thread context of 2540	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	30
PID 2736 set thread context of 2256	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	31
PID 2584 set thread context of 1616	2584	explorer.exe	33
PID 2584 set thread context of 600	2584	explorer.exe	34
PID 2160 set thread context of 4120	2160	spoolsv.exe	483
PID 2160 set thread context of 5152	2160	spoolsv.exe	484
PID 2112 set thread context of 5240	2112	spoolsv.exe	486
PID 2112 set thread context of 5296	2112	spoolsv.exe	487
PID 2264 set thread context of 5388	2264	spoolsv.exe	490
PID 2264 set thread context of 5440	2264	spoolsv.exe	491
PID 2284 set thread context of 5508	2284	spoolsv.exe	493
PID 2284 set thread context of 5560	2284	spoolsv.exe	494
PID 444 set thread context of 5628	444	spoolsv.exe	496
PID 444 set thread context of 5688	444	spoolsv.exe	497
PID 2408 set thread context of 5756	2408	spoolsv.exe	499
PID 2408 set thread context of 5808	2408	spoolsv.exe	500
PID 620 set thread context of 5884	620	spoolsv.exe	502
PID 620 set thread context of 5936	620	spoolsv.exe	503
PID 964 set thread context of 6000	964	spoolsv.exe	505
PID 964 set thread context of 6056	964	spoolsv.exe	506
PID 784 set thread context of 6132	784	spoolsv.exe	508
PID 784 set thread context of 5132	784	spoolsv.exe	509
PID 1280 set thread context of 5312	1280	spoolsv.exe	511
PID 1280 set thread context of 5352	1280	spoolsv.exe	512
PID 2000 set thread context of 5380	2000	spoolsv.exe	514
PID 2000 set thread context of 5436	2000	spoolsv.exe	515
PID 2988 set thread context of 5576	2988	spoolsv.exe	517
PID 2988 set thread context of 5544	2988	spoolsv.exe	518
PID 1980 set thread context of 5656	1980	spoolsv.exe	520
PID 1980 set thread context of 5724	1980	spoolsv.exe	521
PID 2068 set thread context of 5844	2068	spoolsv.exe	523
PID 2068 set thread context of 5876	2068	spoolsv.exe	524
PID 2304 set thread context of 5956	2304	spoolsv.exe	526
PID 2304 set thread context of 6080	2304	spoolsv.exe	527
PID 2136 set thread context of 6032	2136	spoolsv.exe	529
PID 2136 set thread context of 5136	2136	spoolsv.exe	530
PID 1528 set thread context of 3056	1528	spoolsv.exe	532
PID 1528 set thread context of 5332	1528	spoolsv.exe	534
PID 2788 set thread context of 5448	2788	spoolsv.exe	535
PID 2788 set thread context of 5432	2788	spoolsv.exe	537
PID 2572 set thread context of 5528	2572	spoolsv.exe	538
PID 2572 set thread context of 5524	2572	spoolsv.exe	539
PID 2564 set thread context of 5700	2564	spoolsv.exe	541
PID 2564 set thread context of 5824	2564	spoolsv.exe	542
PID 3012 set thread context of 5916	3012	spoolsv.exe	544
PID 3012 set thread context of 5848	3012	spoolsv.exe	546
PID 2608 set thread context of 5992	2608	spoolsv.exe	547
PID 2608 set thread context of 6120	2608	spoolsv.exe	549
PID 2956 set thread context of 6076	2956	spoolsv.exe	548
PID 2956 set thread context of 5260	2956	spoolsv.exe	551
PID 2360 set thread context of 5364	2360	spoolsv.exe	552
PID 2360 set thread context of 5304	2360	spoolsv.exe	553
PID 568 set thread context of 5500	568	spoolsv.exe	554
PID 568 set thread context of 5516	568	spoolsv.exe	555
PID 944 set thread context of 5568	944	spoolsv.exe	557
PID 944 set thread context of 5816	944	spoolsv.exe	560
PID 1016 set thread context of 5708	1016	spoolsv.exe	558
PID 1016 set thread context of 5868	1016	spoolsv.exe	561
PID 2348 set thread context of 6072	2348	spoolsv.exe	562
PID 1376 set thread context of 6124	1376	spoolsv.exe	565
PID 2348 set thread context of 2192	2348	spoolsv.exe	563
PID 1376 set thread context of 5308	1376	spoolsv.exe	566
PID 2276 set thread context of 5476	2276	spoolsv.exe	568
PID 2276 set thread context of 4100	2276	spoolsv.exe	569

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1616	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2540	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe
2540	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
1616	explorer.exe
4120	spoolsv.exe
4120	spoolsv.exe
5240	spoolsv.exe
5240	spoolsv.exe
5388	spoolsv.exe
5388	spoolsv.exe
5508	spoolsv.exe
5508	spoolsv.exe
5628	spoolsv.exe
5628	spoolsv.exe
5756	spoolsv.exe
5756	spoolsv.exe
5884	spoolsv.exe
5884	spoolsv.exe
6000	spoolsv.exe
6000	spoolsv.exe
6132	spoolsv.exe
6132	spoolsv.exe
5312	spoolsv.exe
5312	spoolsv.exe
5380	spoolsv.exe
5380	spoolsv.exe
5576	spoolsv.exe
5576	spoolsv.exe
5656	spoolsv.exe
5656	spoolsv.exe
5844	spoolsv.exe
5844	spoolsv.exe
5956	spoolsv.exe
5956	spoolsv.exe
6032	spoolsv.exe
6032	spoolsv.exe
3056	spoolsv.exe
3056	spoolsv.exe
5448	spoolsv.exe
5448	spoolsv.exe
5528	spoolsv.exe
5528	spoolsv.exe
5700	spoolsv.exe
5700	spoolsv.exe
5916	spoolsv.exe
5916	spoolsv.exe
5992	spoolsv.exe
5992	spoolsv.exe
6076	spoolsv.exe
6076	spoolsv.exe
5364	spoolsv.exe
5364	spoolsv.exe
5500	spoolsv.exe
5500	spoolsv.exe
5568	spoolsv.exe
5568	spoolsv.exe
5708	spoolsv.exe
5708	spoolsv.exe
6072	spoolsv.exe
6072	spoolsv.exe
6124	spoolsv.exe
6124	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2540	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	30
PID 2736 wrote to memory of 2540	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	30
PID 2736 wrote to memory of 2540	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	30
PID 2736 wrote to memory of 2540	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	30
PID 2736 wrote to memory of 2540	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	30
PID 2736 wrote to memory of 2540	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	30
PID 2736 wrote to memory of 2540	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	30
PID 2736 wrote to memory of 2540	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	30
PID 2736 wrote to memory of 2540	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	30
PID 2736 wrote to memory of 2256	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	31
PID 2736 wrote to memory of 2256	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	31
PID 2736 wrote to memory of 2256	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	31
PID 2736 wrote to memory of 2256	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	31
PID 2736 wrote to memory of 2256	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	31
PID 2736 wrote to memory of 2256	2736	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	31
PID 2540 wrote to memory of 2584	2540	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	32
PID 2540 wrote to memory of 2584	2540	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	32
PID 2540 wrote to memory of 2584	2540	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	32
PID 2540 wrote to memory of 2584	2540	7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe	32
PID 2584 wrote to memory of 1616	2584	explorer.exe	33
PID 2584 wrote to memory of 1616	2584	explorer.exe	33
PID 2584 wrote to memory of 1616	2584	explorer.exe	33
PID 2584 wrote to memory of 1616	2584	explorer.exe	33
PID 2584 wrote to memory of 1616	2584	explorer.exe	33
PID 2584 wrote to memory of 1616	2584	explorer.exe	33
PID 2584 wrote to memory of 1616	2584	explorer.exe	33
PID 2584 wrote to memory of 1616	2584	explorer.exe	33
PID 2584 wrote to memory of 1616	2584	explorer.exe	33
PID 2584 wrote to memory of 600	2584	explorer.exe	34
PID 2584 wrote to memory of 600	2584	explorer.exe	34
PID 2584 wrote to memory of 600	2584	explorer.exe	34
PID 2584 wrote to memory of 600	2584	explorer.exe	34
PID 2584 wrote to memory of 600	2584	explorer.exe	34
PID 2584 wrote to memory of 600	2584	explorer.exe	34
PID 1616 wrote to memory of 2160	1616	explorer.exe	35
PID 1616 wrote to memory of 2160	1616	explorer.exe	35
PID 1616 wrote to memory of 2160	1616	explorer.exe	35
PID 1616 wrote to memory of 2160	1616	explorer.exe	35
PID 1616 wrote to memory of 2112	1616	explorer.exe	36
PID 1616 wrote to memory of 2112	1616	explorer.exe	36
PID 1616 wrote to memory of 2112	1616	explorer.exe	36
PID 1616 wrote to memory of 2112	1616	explorer.exe	36
PID 1616 wrote to memory of 2264	1616	explorer.exe	37
PID 1616 wrote to memory of 2264	1616	explorer.exe	37
PID 1616 wrote to memory of 2264	1616	explorer.exe	37
PID 1616 wrote to memory of 2264	1616	explorer.exe	37
PID 1616 wrote to memory of 2284	1616	explorer.exe	38
PID 1616 wrote to memory of 2284	1616	explorer.exe	38
PID 1616 wrote to memory of 2284	1616	explorer.exe	38
PID 1616 wrote to memory of 2284	1616	explorer.exe	38
PID 1616 wrote to memory of 444	1616	explorer.exe	39
PID 1616 wrote to memory of 444	1616	explorer.exe	39
PID 1616 wrote to memory of 444	1616	explorer.exe	39
PID 1616 wrote to memory of 444	1616	explorer.exe	39
PID 1616 wrote to memory of 2408	1616	explorer.exe	40
PID 1616 wrote to memory of 2408	1616	explorer.exe	40
PID 1616 wrote to memory of 2408	1616	explorer.exe	40
PID 1616 wrote to memory of 2408	1616	explorer.exe	40
PID 1616 wrote to memory of 620	1616	explorer.exe	41
PID 1616 wrote to memory of 620	1616	explorer.exe	41
PID 1616 wrote to memory of 620	1616	explorer.exe	41
PID 1616 wrote to memory of 620	1616	explorer.exe	41
PID 1616 wrote to memory of 964	1616	explorer.exe	42
PID 1616 wrote to memory of 964	1616	explorer.exe	42

C:\Users\Admin\AppData\Local\Temp\7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe
"C:\Users\Admin\AppData\Local\Temp\7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe
  "C:\Users\Admin\AppData\Local\Temp\7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2540
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2160
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4120
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5356
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2112
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5240
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2264
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5388
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5488
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2284
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5508
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5612
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:444
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5628
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5732
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2408
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5756
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5856
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:620
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5884
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5980
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:964
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6000
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6112
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:784
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6132
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5208
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1280
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5312
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5372
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2000
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5380
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5484
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2988
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5576
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5644
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1980
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5656
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5752
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2068
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5844
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5928
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5876
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2304
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5956
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6096
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2136
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6032
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5172
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1528
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5324
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2788
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5448
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5420
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2572
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5528
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5676
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2564
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5700
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5904
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3012
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5916
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1796
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2608
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5992
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5184
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2956
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6076
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2360
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5364
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:568
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5500
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5536
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:944
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5568
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5728
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1016
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5708
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2348
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6072
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5160
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1376
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6124
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5316
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2276
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5476
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2760
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5768
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3068
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5520
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:772
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5924
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:588
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5712
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1636
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4680
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5348
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5408
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1000
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5216
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2216
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5640
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5988
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1456
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2636
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1412
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2472
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1704
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5200
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:804
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5368
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5512
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1556
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5480
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:952
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6004
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1744
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5180
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2428
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5424
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2868
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5148
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:856
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2188
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5744
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5660
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1324
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5684
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5276
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2888
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5888
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2920
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6068
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1720
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1316
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:268
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:644
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1572
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2448
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5764
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2996
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:852
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2732
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5572
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5600
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1548
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2352
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2356
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2156
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5696
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5996
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2776
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5652
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5288
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1424
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5804
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5972
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:564
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2464
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2804
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6048
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2228
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:696
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2840
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1508
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1676
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6092
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5864
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1668
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1776
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2860
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5788
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5460
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2644
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2964
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2324
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:896
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1608
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1472
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5608
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1552
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6272
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6344
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6388
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6496
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2208
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6592
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1992
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6504
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1580
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6724
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6872
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1056
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6740
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1928
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6944
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7024
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2532
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6952
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2772
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7144
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1852
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7136
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2808
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6128
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6208
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1864
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6156
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2076
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6340
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2172
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6608
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6688
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3064
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6580
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2120
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6828
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6892
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2336
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6924
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2516
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7072
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6012
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1896
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5964
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3020
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:336
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6168
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1652
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:532
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1872
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6520
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6412
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2480
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2164
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2288
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3052
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2128
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1492
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6840
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6888
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2104
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3032
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2508
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6996
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6136
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2708
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2364
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1892
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7148
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6456
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2632
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6464
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2812
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6428
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1584
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2704
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6976
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2468
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6508
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2940
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6912
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2052
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6988
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1464
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6204
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6336
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:932
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1800
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2980
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2652
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6568
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6600
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1380
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6476
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:576
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6816
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2244
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6832
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7092
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2616
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5580
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:264
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6040
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6484
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:776
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6516
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2248
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6436
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6652
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6680
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2180
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6760
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7064
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2224
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2736
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1868
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1856
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1124
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1460
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6372
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6660
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6920
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2948
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6444
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2308
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2444
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1680
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7016
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2084
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6224
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1216
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6200
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6916
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2668
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1212
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1444
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6960
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6328
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2620
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5292
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2584
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2140
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6292
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2212
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5624
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6932
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2768
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2044
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2296
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7120
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:464
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6300
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1476
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1520
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7052
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1948
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7020
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2896
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1020
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2252
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2436
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2568
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2548
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1592
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1972
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1448
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6728
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:716
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6536
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6752
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2908
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6792
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1624
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1600
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6480
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:540
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6408
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2784
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6584
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2496
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1988
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6192
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1284
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3048
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1524
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2724
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5740
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2144
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6824
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6732
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1960
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6820
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1692
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1916
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6492
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2832
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2396
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1240
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2200
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6320
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1752
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6868
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:940
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3044
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3060
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:912
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6288
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2064
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6432
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1096
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7212
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7292
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1532
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7300
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:892
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7424
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7504
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2968
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7512
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:824
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7632
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7744
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7760
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7772
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7844
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7852
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2440
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7904
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8120
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2628
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7988
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2684
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7232
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2660
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6720
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2672
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7224
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7276
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:936
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7344
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7492
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2476
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2392
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7576
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7636
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1224
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7732
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2096
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7932
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2932
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7976
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2756
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8016
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2420
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8100
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2400
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1640
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2300
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1944
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7240
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2372
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7416
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7540
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2648
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7548
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7600
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1952
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7660
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7720
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2292
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7860
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3000
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7672
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1236
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8020
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8184
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1660
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8168
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2764
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1416
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2148
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7440
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2204
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7332
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7524
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:296
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7552
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7712
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1196
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2268
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7796
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1748
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1964
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3088
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7204
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:808
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1908
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3148
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:6612
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7464
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3176
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2312
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7556
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3232
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1484
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7824
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3260
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7752
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8040
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3288
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2700
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3316
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8148
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7188
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3344
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7432
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7568
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3372
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7588
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7892
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3400
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7704
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7940
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3428
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1128
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8004
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8176
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7412
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3516
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7228
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2816
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3548
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7624
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3576
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7952
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7864
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3604
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:660
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8076
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3632
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7936
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:8136
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3660
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8132
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3688
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7792
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3716
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7460
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7488
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3744
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8160
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7388
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3772
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7312
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3800
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2740
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3692
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:8112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3828
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7944
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3856
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7320
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3888
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:8024
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7380
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3412
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3308
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3912
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4248
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4276
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4332
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4700
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4732
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4844
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4144
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4216
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4328
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4540
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4752
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4632
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4232
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5340
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:600
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
1.8MB

MD5
82a7909578880d6efe98bfe5e4a68458

SHA1
0681fdfda49ca927373ac5518a9cba4c5089c3f9

SHA256
7972b0b07144b6be650b00d3fc572252c414e9dac4c89dac7bfd0dadaa24b6da

SHA512
a9d758c937f50db942fd2f6937278eafebb28796ccc3491fa0a1ba1191a4fe6fdbd598b9e5313436b5bde112e35cb6e63e0b00425eda2a34b3020ca596a54840

Download Submit
C:\Windows\system\explorer.exe

Filesize
1.8MB

MD5
320e05bd001c40abe58d16a4084a6af4

SHA1
ac4b599966d702ae12fa1c50ced7a7d30c5377c5

SHA256
0c6a4692997cd31f7f258154ea946c3cb5c3803e11271303921d01978919bcb6

SHA512
0f3278b10b68272f65aa8f89fdab3edf65e9b4ccf0ef518d3db184f0200ff17cca522ad5603edab4411088f4d606bab22c08cedb181565bef94feaed18b99ef0

Download Submit
\Windows\system\spoolsv.exe

Filesize
1.8MB

MD5
addeee943507b3feb05fb7f3c681e1e2

SHA1
19a24ef96903cd2bba0d10653c6286ed542ce1ac

SHA256
9ca1c15795fc1e9557f381f5a8f893078dd83f485258a8595ff58dad39d37c33

SHA512
059a16099447f1971bb2c131aa19fe6ffe270c477b40c415e77f5fe65c682cb7f1e2e3bb67034c1fe0070884e20c798103e06915c16c54905656184a41985bec

Download Submit
memory/444-158-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/444-126-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/568-331-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/620-148-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/620-198-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/784-212-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/784-168-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/944-342-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/964-159-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1016-349-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1280-187-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1528-258-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1528-297-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1616-222-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-305-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-357-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-348-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-350-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-339-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-340-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-338-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-329-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-330-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-86-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-332-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-105-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-315-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-321-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-320-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-294-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-296-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-295-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-279-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-147-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-144-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-280-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-269-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-256-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-257-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-259-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-178-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-190-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-189-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-188-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-247-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-236-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-199-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-237-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-210-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-233-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-223-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1616-220-0x0000000003310000-0x0000000003424000-memory.dmp

Filesize
1.1MB

Download
memory/1980-211-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2000-235-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2068-224-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2112-134-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2136-246-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2136-288-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2160-125-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2256-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2256-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2256-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2256-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2256-25-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2264-146-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2264-106-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2284-116-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2284-156-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2304-281-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2304-234-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2348-358-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2360-323-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2408-177-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2408-136-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2540-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-43-0x0000000003110000-0x0000000003224000-memory.dmp

Filesize
1.1MB

Download
memory/2540-42-0x0000000003110000-0x0000000003224000-memory.dmp

Filesize
1.1MB

Download
memory/2540-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2564-287-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2564-322-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2572-319-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2572-278-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2584-44-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2584-72-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2584-48-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2584-45-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2608-304-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2608-341-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2736-29-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2736-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2736-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2736-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2736-19-0x0000000003190000-0x00000000032A4000-memory.dmp

Filesize
1.1MB

Download
memory/2736-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2788-268-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2788-312-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2956-351-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2956-311-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2988-201-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3012-298-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download