warzonerat | 9b029277618519b3a95428ff318406c1ccc25c02136ee11e998c481fd4668156

Analysis

max time kernel
120s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2024, 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e99e6372253c3d529b9ae9433ef4fdf0N.exe
Size

1.8MB
MD5

e99e6372253c3d529b9ae9433ef4fdf0
SHA1

6cbaf18b2c55d3e875ae0d25758e555c2222e5a4
SHA256

9b029277618519b3a95428ff318406c1ccc25c02136ee11e998c481fd4668156
SHA512

e32068a45ede8a1ecffeb3af7f82955ba15f804439a83b067976819809536910c83a6abc217f46692e7393400d3eb5a507f84606d3de688a70b5a82f937e7bca
SSDEEP

12288:i254f/VAuj79umm3xR0lq+X6kOyeXiYxewRJBWW59qA7W2FeDSIGVH/KIDgDgUeF:x+D9uVMpjOyerrFQDbGV6eH81kx

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023424-19.dat	warzonerat
behavioral2/files/0x0008000000023422-32.dat	warzonerat
behavioral2/files/0x0008000000023429-45.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
2272	explorer.exe
2100	explorer.exe
4580	spoolsv.exe
1824	spoolsv.exe
2924	spoolsv.exe
2324	spoolsv.exe
432	spoolsv.exe
556	spoolsv.exe
5104	spoolsv.exe
4288	spoolsv.exe
536	spoolsv.exe
3988	spoolsv.exe
3420	spoolsv.exe
816	spoolsv.exe
4952	spoolsv.exe
904	spoolsv.exe
1856	spoolsv.exe
2716	spoolsv.exe
664	spoolsv.exe
392	spoolsv.exe
2284	spoolsv.exe
4268	spoolsv.exe
1616	spoolsv.exe
1652	spoolsv.exe
948	spoolsv.exe
4784	spoolsv.exe
1748	spoolsv.exe
2252	spoolsv.exe
4092	spoolsv.exe
2504	spoolsv.exe
4512	spoolsv.exe
1800	spoolsv.exe
1240	spoolsv.exe
3992	spoolsv.exe
2960	spoolsv.exe
4056	spoolsv.exe
4612	spoolsv.exe
2024	spoolsv.exe
3164	spoolsv.exe
2200	spoolsv.exe
1344	spoolsv.exe
4272	spoolsv.exe
3608	spoolsv.exe
880	spoolsv.exe
4556	spoolsv.exe
2908	spoolsv.exe
2796	spoolsv.exe
1972	spoolsv.exe
1720	spoolsv.exe
3012	spoolsv.exe
2820	spoolsv.exe
636	spoolsv.exe
2484	spoolsv.exe
2928	spoolsv.exe
3644	spoolsv.exe
4676	spoolsv.exe
4432	spoolsv.exe
2524	spoolsv.exe
3112	spoolsv.exe
4008	spoolsv.exe
5012	spoolsv.exe
1508	spoolsv.exe
448	spoolsv.exe
2068	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	e99e6372253c3d529b9ae9433ef4fdf0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 2116	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	98
PID 2512 set thread context of 2184	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	99
PID 2272 set thread context of 2100	2272	explorer.exe	102

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	e99e6372253c3d529b9ae9433ef4fdf0N.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e99e6372253c3d529b9ae9433ef4fdf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	e99e6372253c3d529b9ae9433ef4fdf0N.exe
2116	e99e6372253c3d529b9ae9433ef4fdf0N.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2100	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2116	e99e6372253c3d529b9ae9433ef4fdf0N.exe
2116	e99e6372253c3d529b9ae9433ef4fdf0N.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2116	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	98
PID 2512 wrote to memory of 2116	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	98
PID 2512 wrote to memory of 2116	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	98
PID 2512 wrote to memory of 2116	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	98
PID 2512 wrote to memory of 2116	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	98
PID 2512 wrote to memory of 2116	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	98
PID 2512 wrote to memory of 2116	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	98
PID 2512 wrote to memory of 2116	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	98
PID 2512 wrote to memory of 2184	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	99
PID 2512 wrote to memory of 2184	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	99
PID 2512 wrote to memory of 2184	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	99
PID 2512 wrote to memory of 2184	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	99
PID 2512 wrote to memory of 2184	2512	e99e6372253c3d529b9ae9433ef4fdf0N.exe	99
PID 2116 wrote to memory of 2272	2116	e99e6372253c3d529b9ae9433ef4fdf0N.exe	100
PID 2116 wrote to memory of 2272	2116	e99e6372253c3d529b9ae9433ef4fdf0N.exe	100
PID 2116 wrote to memory of 2272	2116	e99e6372253c3d529b9ae9433ef4fdf0N.exe	100
PID 2272 wrote to memory of 2100	2272	explorer.exe	102
PID 2272 wrote to memory of 2100	2272	explorer.exe	102
PID 2272 wrote to memory of 2100	2272	explorer.exe	102
PID 2272 wrote to memory of 2100	2272	explorer.exe	102
PID 2272 wrote to memory of 2100	2272	explorer.exe	102
PID 2272 wrote to memory of 2100	2272	explorer.exe	102
PID 2272 wrote to memory of 2100	2272	explorer.exe	102
PID 2272 wrote to memory of 2100	2272	explorer.exe	102
PID 2272 wrote to memory of 4576	2272	explorer.exe	103
PID 2272 wrote to memory of 4576	2272	explorer.exe	103
PID 2272 wrote to memory of 4576	2272	explorer.exe	103
PID 2100 wrote to memory of 4580	2100	explorer.exe	104
PID 2100 wrote to memory of 4580	2100	explorer.exe	104
PID 2100 wrote to memory of 4580	2100	explorer.exe	104
PID 2100 wrote to memory of 1824	2100	explorer.exe	105
PID 2100 wrote to memory of 1824	2100	explorer.exe	105
PID 2100 wrote to memory of 1824	2100	explorer.exe	105
PID 2100 wrote to memory of 2924	2100	explorer.exe	106
PID 2100 wrote to memory of 2924	2100	explorer.exe	106
PID 2100 wrote to memory of 2924	2100	explorer.exe	106
PID 2100 wrote to memory of 2324	2100	explorer.exe	107
PID 2100 wrote to memory of 2324	2100	explorer.exe	107
PID 2100 wrote to memory of 2324	2100	explorer.exe	107
PID 2100 wrote to memory of 432	2100	explorer.exe	108
PID 2100 wrote to memory of 432	2100	explorer.exe	108
PID 2100 wrote to memory of 432	2100	explorer.exe	108
PID 2100 wrote to memory of 556	2100	explorer.exe	109
PID 2100 wrote to memory of 556	2100	explorer.exe	109
PID 2100 wrote to memory of 556	2100	explorer.exe	109
PID 2100 wrote to memory of 5104	2100	explorer.exe	110
PID 2100 wrote to memory of 5104	2100	explorer.exe	110
PID 2100 wrote to memory of 5104	2100	explorer.exe	110
PID 2100 wrote to memory of 4288	2100	explorer.exe	111
PID 2100 wrote to memory of 4288	2100	explorer.exe	111
PID 2100 wrote to memory of 4288	2100	explorer.exe	111
PID 2100 wrote to memory of 536	2100	explorer.exe	112
PID 2100 wrote to memory of 536	2100	explorer.exe	112
PID 2100 wrote to memory of 536	2100	explorer.exe	112
PID 2100 wrote to memory of 3988	2100	explorer.exe	113
PID 2100 wrote to memory of 3988	2100	explorer.exe	113
PID 2100 wrote to memory of 3988	2100	explorer.exe	113
PID 2100 wrote to memory of 3420	2100	explorer.exe	114
PID 2100 wrote to memory of 3420	2100	explorer.exe	114
PID 2100 wrote to memory of 3420	2100	explorer.exe	114
PID 2100 wrote to memory of 816	2100	explorer.exe	115
PID 2100 wrote to memory of 816	2100	explorer.exe	115
PID 2100 wrote to memory of 816	2100	explorer.exe	115
PID 2100 wrote to memory of 4952	2100	explorer.exe	116

C:\Users\Admin\AppData\Local\Temp\e99e6372253c3d529b9ae9433ef4fdf0N.exe
"C:\Users\Admin\AppData\Local\Temp\e99e6372253c3d529b9ae9433ef4fdf0N.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\e99e6372253c3d529b9ae9433ef4fdf0N.exe
  "C:\Users\Admin\AppData\Local\Temp\e99e6372253c3d529b9ae9433ef4fdf0N.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2116
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4952
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3992
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4612
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3608
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4008
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3240
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4480
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:812
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3708
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5160
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5212
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5500
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5560
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5864
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5948
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5176
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5292
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5692
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5596
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6200
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6352
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6368
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6440
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6584
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6600
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6776
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6792
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6808
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6828
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6988
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7040
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7096
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7112
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6824
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7220
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7488
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7556
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7648
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7664
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7696
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7712
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7748
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7764
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7780
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7856
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:7984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:8000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:8016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:8036
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:8052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:8072
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:8088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:8104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:8128
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:8148
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:4576
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
1.8MB

MD5
e99e6372253c3d529b9ae9433ef4fdf0

SHA1
6cbaf18b2c55d3e875ae0d25758e555c2222e5a4

SHA256
9b029277618519b3a95428ff318406c1ccc25c02136ee11e998c481fd4668156

SHA512
e32068a45ede8a1ecffeb3af7f82955ba15f804439a83b067976819809536910c83a6abc217f46692e7393400d3eb5a507f84606d3de688a70b5a82f937e7bca

Download Submit
C:\Windows\System\explorer.exe

Filesize
1.8MB

MD5
9a5df9eeeacd4a467e7c829087be1207

SHA1
7b7564b135bf212fce27265242c5c0f538537543

SHA256
3071ebbce4c76c5d5be0dfafc701a8cd3e0afdc559aa54cfc92235daabfdc23c

SHA512
5bf8d50ab85e6cd51a9f9a66c9c5841ff297630335f1cec69f7a2df621a9acf1976fece577e864bd32a6a52414e9d4f2e76c5babbaf512938a4541c0395a30c0

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
1.8MB

MD5
852948a5b4e4abffcb0e020c91964109

SHA1
fda160928ec62a5ad856b9f5933d8ed643cf9da4

SHA256
1f8e5c5a278809ce2a59a9a573f603a8ab758adf219f1d8168c97c46256e7f89

SHA512
d7fca8e4dba0ac4b962acfbd03b537e87be196d53e22b98160bcc04cb7a88ec563369cf21bfe6beb53b5a4ea2e89f1c5f265c0f75fe7bf55c0541dce7f32bd14

Download Submit
memory/392-98-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/392-76-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/432-52-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/432-69-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/448-174-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/536-78-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/556-71-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/636-162-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/664-96-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/812-180-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/816-84-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/816-63-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/880-146-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/904-88-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/948-108-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1240-124-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1344-140-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1508-173-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1592-182-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1616-104-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1652-106-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1720-158-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1748-112-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1764-186-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1800-122-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1824-62-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1856-91-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1972-155-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2024-134-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2068-176-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2100-35-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2116-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2116-25-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2116-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2184-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2184-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2184-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2200-138-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2252-94-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2252-114-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2272-26-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2272-23-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2272-40-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2284-100-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2324-67-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2484-163-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2504-118-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2512-16-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2512-1-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2512-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2512-3-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2512-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2524-168-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2668-184-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2716-93-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2796-153-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2820-161-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2908-151-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2924-65-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2928-164-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2932-172-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2932-183-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2960-128-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3012-160-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3112-169-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3164-136-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3240-177-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3420-82-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3424-191-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3608-144-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3624-179-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3644-165-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3644-149-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3708-188-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3988-80-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3992-126-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4000-189-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4008-170-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4056-130-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4092-116-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4268-102-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4272-142-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4288-75-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4320-190-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4388-181-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4432-167-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4480-178-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4512-120-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4556-148-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4580-60-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4612-132-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4676-166-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4784-89-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4784-110-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4788-185-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/4952-86-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5012-171-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5040-187-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5040-175-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/5104-73-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download