warzonerat | f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe
Size

8.9MB
MD5

dfe7aa41eefbf50ca13d6addb1cfc77f
SHA1

cc433ef4689063ec44e3c5667ccce3ae21fc5ab7
SHA256

f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48
SHA512

01be348df2a4c2f8d54d1189e304f478d481711d3cb259b6373d13248eac203bf634b52fc0d1b7b996f78566f2c75fdbad97ae3134a9ed98be4c4f8383ca4eb0
SSDEEP

49152:K1XP6rPbNechC0bNechC0bNecIC0bNechC0bNechC0bNecq:K1+8e8e8f8e8e8t

Score

10^/10

warzonerat discovery evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023c71-19.dat	warzonerat
behavioral2/files/0x0008000000023c6f-36.dat	warzonerat
behavioral2/files/0x00030000000221eb-50.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
1800	explorer.exe
3464	explorer.exe
4708	spoolsv.exe
4232	spoolsv.exe
3836	spoolsv.exe
4332	spoolsv.exe
2456	spoolsv.exe
392	spoolsv.exe
5024	spoolsv.exe
2328	spoolsv.exe
3352	spoolsv.exe
3516	spoolsv.exe
3600	spoolsv.exe
4352	spoolsv.exe
3076	spoolsv.exe
1372	spoolsv.exe
4728	spoolsv.exe
4268	spoolsv.exe
2040	spoolsv.exe
4980	spoolsv.exe
4760	spoolsv.exe
3392	spoolsv.exe
5072	spoolsv.exe
4316	spoolsv.exe
2004	spoolsv.exe
4020	spoolsv.exe
2320	spoolsv.exe
4716	spoolsv.exe
3104	spoolsv.exe
1960	spoolsv.exe
2560	spoolsv.exe
3148	spoolsv.exe
1012	spoolsv.exe
4196	spoolsv.exe
2684	spoolsv.exe
4240	spoolsv.exe
3484	spoolsv.exe
1072	spoolsv.exe
5096	spoolsv.exe
4308	spoolsv.exe
2596	spoolsv.exe
3644	spoolsv.exe
1616	spoolsv.exe
1140	spoolsv.exe
2060	spoolsv.exe
5000	spoolsv.exe
4264	spoolsv.exe
4652	spoolsv.exe
3424	spoolsv.exe
3928	spoolsv.exe
4256	spoolsv.exe
2704	spoolsv.exe
384	spoolsv.exe
3804	spoolsv.exe
4624	spoolsv.exe
4932	spoolsv.exe
5108	spoolsv.exe
3156	spoolsv.exe
3012	spoolsv.exe
4684	spoolsv.exe
4476	spoolsv.exe
3900	spoolsv.exe
3724	spoolsv.exe
740	spoolsv.exe

Adds Run key to start application 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 4428	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	99
PID 2264 set thread context of 752	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	100
PID 1800 set thread context of 3464	1800	explorer.exe	103
PID 1800 set thread context of 716	1800	explorer.exe	104
PID 4708 set thread context of 6696	4708	spoolsv.exe	268
PID 4708 set thread context of 6720	4708	spoolsv.exe	269
PID 4232 set thread context of 6848	4232	spoolsv.exe	272
PID 4232 set thread context of 6860	4232	spoolsv.exe	273
PID 3836 set thread context of 6952	3836	spoolsv.exe	275
PID 3836 set thread context of 6968	3836	spoolsv.exe	276
PID 4332 set thread context of 7052	4332	spoolsv.exe	278
PID 2456 set thread context of 7140	2456	spoolsv.exe	281
PID 2456 set thread context of 7152	2456	spoolsv.exe	282
PID 392 set thread context of 3420	392	spoolsv.exe	284
PID 392 set thread context of 2184	392	spoolsv.exe	285
PID 5024 set thread context of 6576	5024	spoolsv.exe	287
PID 5024 set thread context of 6800	5024	spoolsv.exe	288
PID 2328 set thread context of 6928	2328	spoolsv.exe	290
PID 2328 set thread context of 2736	2328	spoolsv.exe	291
PID 3352 set thread context of 6984	3352	spoolsv.exe	293
PID 3516 set thread context of 3548	3516	spoolsv.exe	296
PID 3600 set thread context of 216	3600	spoolsv.exe	299
PID 3600 set thread context of 2296	3600	spoolsv.exe	300
PID 4352 set thread context of 4512	4352	spoolsv.exe	302
PID 4352 set thread context of 7132	4352	spoolsv.exe	303
PID 3076 set thread context of 6772	3076	spoolsv.exe	305
PID 3076 set thread context of 6756	3076	spoolsv.exe	306
PID 1372 set thread context of 6708	1372	spoolsv.exe	308
PID 1372 set thread context of 6820	1372	spoolsv.exe	309
PID 4728 set thread context of 6992	4728	spoolsv.exe	311
PID 4728 set thread context of 7004	4728	spoolsv.exe	312
PID 4268 set thread context of 1108	4268	spoolsv.exe	314
PID 4268 set thread context of 3528	4268	spoolsv.exe	315
PID 2040 set thread context of 2488	2040	spoolsv.exe	317
PID 2040 set thread context of 2896	2040	spoolsv.exe	318
PID 4980 set thread context of 6744	4980	spoolsv.exe	320
PID 4980 set thread context of 1984	4980	spoolsv.exe	321
PID 4760 set thread context of 4920	4760	spoolsv.exe	323
PID 4760 set thread context of 3768	4760	spoolsv.exe	324
PID 3392 set thread context of 2520	3392	spoolsv.exe	326
PID 3392 set thread context of 3028	3392	spoolsv.exe	327
PID 5072 set thread context of 4900	5072	spoolsv.exe	329
PID 4316 set thread context of 1936	4316	spoolsv.exe	332
PID 4316 set thread context of 7124	4316	spoolsv.exe	333
PID 2004 set thread context of 5964	2004	spoolsv.exe	335
PID 4020 set thread context of 6876	4020	spoolsv.exe	338
PID 4020 set thread context of 3116	4020	spoolsv.exe	339
PID 2320 set thread context of 4304	2320	spoolsv.exe	341
PID 4716 set thread context of 6836	4716	spoolsv.exe	344
PID 4716 set thread context of 4188	4716	spoolsv.exe	345
PID 3104 set thread context of 3208	3104	spoolsv.exe	347
PID 1960 set thread context of 5112	1960	spoolsv.exe	350
PID 1960 set thread context of 5888	1960	spoolsv.exe	351
PID 2560 set thread context of 5920	2560	spoolsv.exe	353
PID 3148 set thread context of 928	3148	spoolsv.exe	356
PID 3148 set thread context of 636	3148	spoolsv.exe	357
PID 1012 set thread context of 4300	1012	spoolsv.exe	359
PID 1012 set thread context of 6716	1012	spoolsv.exe	360
PID 4196 set thread context of 184	4196	spoolsv.exe	362
PID 4196 set thread context of 5868	4196	spoolsv.exe	363
PID 2684 set thread context of 3256	2684	spoolsv.exe	365
PID 4240 set thread context of 2768	4240	spoolsv.exe	368
PID 3484 set thread context of 5068	3484	spoolsv.exe	371
PID 3484 set thread context of 4052	3484	spoolsv.exe	372

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4428	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe
4428	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3464	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4428	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe
4428	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
3464	explorer.exe
6696	spoolsv.exe
6696	spoolsv.exe
6848	spoolsv.exe
6848	spoolsv.exe
6952	spoolsv.exe
6952	spoolsv.exe
7052	spoolsv.exe
7052	spoolsv.exe
7140	spoolsv.exe
7140	spoolsv.exe
3420	spoolsv.exe
3420	spoolsv.exe
6576	spoolsv.exe
6576	spoolsv.exe
6928	spoolsv.exe
6928	spoolsv.exe
6984	spoolsv.exe
6984	spoolsv.exe
3548	spoolsv.exe
3548	spoolsv.exe
216	spoolsv.exe
216	spoolsv.exe
4512	spoolsv.exe
4512	spoolsv.exe
6772	spoolsv.exe
6772	spoolsv.exe
6708	spoolsv.exe
6708	spoolsv.exe
6992	spoolsv.exe
6992	spoolsv.exe
1108	spoolsv.exe
1108	spoolsv.exe
2488	spoolsv.exe
2488	spoolsv.exe
6744	spoolsv.exe
6744	spoolsv.exe
4920	spoolsv.exe
4920	spoolsv.exe
2520	spoolsv.exe
2520	spoolsv.exe
4900	spoolsv.exe
4900	spoolsv.exe
1936	spoolsv.exe
1936	spoolsv.exe
5964	spoolsv.exe
5964	spoolsv.exe
6876	spoolsv.exe
6876	spoolsv.exe
4304	spoolsv.exe
4304	spoolsv.exe
6836	spoolsv.exe
6836	spoolsv.exe
3208	spoolsv.exe
3208	spoolsv.exe
5112	spoolsv.exe
5112	spoolsv.exe
5920	spoolsv.exe
5920	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 4428	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	99
PID 2264 wrote to memory of 4428	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	99
PID 2264 wrote to memory of 4428	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	99
PID 2264 wrote to memory of 4428	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	99
PID 2264 wrote to memory of 4428	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	99
PID 2264 wrote to memory of 4428	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	99
PID 2264 wrote to memory of 4428	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	99
PID 2264 wrote to memory of 4428	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	99
PID 2264 wrote to memory of 752	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	100
PID 2264 wrote to memory of 752	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	100
PID 2264 wrote to memory of 752	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	100
PID 2264 wrote to memory of 752	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	100
PID 2264 wrote to memory of 752	2264	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	100
PID 4428 wrote to memory of 1800	4428	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	101
PID 4428 wrote to memory of 1800	4428	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	101
PID 4428 wrote to memory of 1800	4428	f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe	101
PID 1800 wrote to memory of 3464	1800	explorer.exe	103
PID 1800 wrote to memory of 3464	1800	explorer.exe	103
PID 1800 wrote to memory of 3464	1800	explorer.exe	103
PID 1800 wrote to memory of 3464	1800	explorer.exe	103
PID 1800 wrote to memory of 3464	1800	explorer.exe	103
PID 1800 wrote to memory of 3464	1800	explorer.exe	103
PID 1800 wrote to memory of 3464	1800	explorer.exe	103
PID 1800 wrote to memory of 3464	1800	explorer.exe	103
PID 1800 wrote to memory of 716	1800	explorer.exe	104
PID 1800 wrote to memory of 716	1800	explorer.exe	104
PID 1800 wrote to memory of 716	1800	explorer.exe	104
PID 1800 wrote to memory of 716	1800	explorer.exe	104
PID 1800 wrote to memory of 716	1800	explorer.exe	104
PID 3464 wrote to memory of 4708	3464	explorer.exe	105
PID 3464 wrote to memory of 4708	3464	explorer.exe	105
PID 3464 wrote to memory of 4708	3464	explorer.exe	105
PID 3464 wrote to memory of 4232	3464	explorer.exe	106
PID 3464 wrote to memory of 4232	3464	explorer.exe	106
PID 3464 wrote to memory of 4232	3464	explorer.exe	106
PID 3464 wrote to memory of 3836	3464	explorer.exe	107
PID 3464 wrote to memory of 3836	3464	explorer.exe	107
PID 3464 wrote to memory of 3836	3464	explorer.exe	107
PID 3464 wrote to memory of 4332	3464	explorer.exe	108
PID 3464 wrote to memory of 4332	3464	explorer.exe	108
PID 3464 wrote to memory of 4332	3464	explorer.exe	108
PID 3464 wrote to memory of 2456	3464	explorer.exe	109
PID 3464 wrote to memory of 2456	3464	explorer.exe	109
PID 3464 wrote to memory of 2456	3464	explorer.exe	109
PID 3464 wrote to memory of 392	3464	explorer.exe	110
PID 3464 wrote to memory of 392	3464	explorer.exe	110
PID 3464 wrote to memory of 392	3464	explorer.exe	110
PID 3464 wrote to memory of 5024	3464	explorer.exe	111
PID 3464 wrote to memory of 5024	3464	explorer.exe	111
PID 3464 wrote to memory of 5024	3464	explorer.exe	111
PID 3464 wrote to memory of 2328	3464	explorer.exe	112
PID 3464 wrote to memory of 2328	3464	explorer.exe	112
PID 3464 wrote to memory of 2328	3464	explorer.exe	112
PID 3464 wrote to memory of 3352	3464	explorer.exe	113
PID 3464 wrote to memory of 3352	3464	explorer.exe	113
PID 3464 wrote to memory of 3352	3464	explorer.exe	113
PID 3464 wrote to memory of 3516	3464	explorer.exe	114
PID 3464 wrote to memory of 3516	3464	explorer.exe	114
PID 3464 wrote to memory of 3516	3464	explorer.exe	114
PID 3464 wrote to memory of 3600	3464	explorer.exe	115
PID 3464 wrote to memory of 3600	3464	explorer.exe	115
PID 3464 wrote to memory of 3600	3464	explorer.exe	115
PID 3464 wrote to memory of 4352	3464	explorer.exe	116
PID 3464 wrote to memory of 4352	3464	explorer.exe	116

C:\Users\Admin\AppData\Local\Temp\f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe
"C:\Users\Admin\AppData\Local\Temp\f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe
  "C:\Users\Admin\AppData\Local\Temp\f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4428
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visiblity of hidden/system files in Explorer
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4708
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6696
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6812
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6720
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4232
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6848
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6908
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6860
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3836
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6952
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7012
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4332
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7052
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7100
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2456
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7140
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2580
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:392
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3420
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:6712
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:5024
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6576
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6896
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6800
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2328
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6928
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:548
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3352
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6984
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7032
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1956
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3516
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3548
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4396
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3600
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:216
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:7064
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2296
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4352
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4512
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3076
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6772
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6776
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6756
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1372
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6708
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4728
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6992
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6976
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4268
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1108
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4804
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3528
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2040
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2488
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2592
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2896
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4980
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6744
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6844
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4760
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4920
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3388
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3768
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3392
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2980
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3028
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5072
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4900
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:3160
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4316
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4072
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:7124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2004
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5964
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:224
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4020
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6876
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:1956
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3116
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2320
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4304
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7068
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4716
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6836
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4648
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3104
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3208
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4808
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1960
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5112
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4416
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5888
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2560
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5920
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3308
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5972
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3148
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:928
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:6340
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1012
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:4300
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:6716
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4196
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:184
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2352
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2684
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:3256
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2008
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4240
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2768
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:5972
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3968
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:3484
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:5068
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4780
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1072
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3940
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:5096
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:7008
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3960
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4308
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:228
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:960
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2444
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2596
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1916
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:4216
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:3100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3644
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:1740
        
        \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        7⤵
        
        PID:2588
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:4892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1140
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3928
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4256
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2704
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:4932
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:5108
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3156
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3900
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:3724
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:740
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1796
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3544
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4568
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2132
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5016
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1964
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3384
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:880
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4324
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4628
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:840
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1564
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4868
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1728
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2360
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:816
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:624
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4536
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:4784
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2336
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:516
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:3452
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5152
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5172
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5208
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5300
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5356
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5416
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:5456
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6032
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6048
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6068
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6084
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6100
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6136
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:180
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6064
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6164
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6184
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6204
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6224
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6244
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6260
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6284
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6304
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6320
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6344
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6376
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6448
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6484
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6504
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6552
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6580
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6604
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6620
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6636
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6652
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:6688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6788
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:716
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
8.9MB

MD5
dfe7aa41eefbf50ca13d6addb1cfc77f

SHA1
cc433ef4689063ec44e3c5667ccce3ae21fc5ab7

SHA256
f25d4dc06819bdd8a48221dd5cc156b131a042ff17dea6cd18ed6d0a24e9da48

SHA512
01be348df2a4c2f8d54d1189e304f478d481711d3cb259b6373d13248eac203bf634b52fc0d1b7b996f78566f2c75fdbad97ae3134a9ed98be4c4f8383ca4eb0

Download Submit
C:\Windows\System\explorer.exe

Filesize
8.9MB

MD5
3ee6663ab53db59cb04377e5fcbbe3cb

SHA1
895b6469622d1dd84f50f7e7ccfe4407465ea47d

SHA256
3f9bb09b4d25601ebbc9992502aa4452c7eb7b2cbe3a49b714d110a3cac64a30

SHA512
17b10cc74efc766e3f253b546e67a20d9fbb74342504c3c3613729d9dd18b1c957e63aba1cd0f2a4d5097542db3c953e3ec5edfffb4de690bd84559e36cac65c

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
8.9MB

MD5
817780f5c3b5526763e951ce168c3aab

SHA1
9da972d1a2c2c7cdb783b8cf0798ecee41362088

SHA256
44fa16ca860217429437cdad854945f4e451f10c77370ef3f72d8d98eb73a963

SHA512
4c8bef67e3ba08c24ea808b614ba268c96692ed4d73c55fd64bec04b0d609397eb6765a44551660d50af90cd3885aa268a95d33ad707bfc7f0507e8e241c1edd

Download Submit
memory/384-158-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/384-175-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/392-78-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/716-42-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/740-191-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/752-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/752-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/752-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1012-133-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1072-145-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1140-160-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1140-137-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1372-74-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1372-96-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1396-196-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1616-134-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1616-157-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1796-193-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1800-46-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1800-28-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1800-24-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1800-23-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1960-105-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1960-126-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2004-116-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2040-102-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2060-162-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2264-0-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2264-15-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2264-3-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2264-2-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2264-1-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2320-120-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2328-82-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2456-76-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2560-128-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2560-108-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2596-152-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2684-139-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2688-194-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2704-174-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3012-184-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3076-94-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3104-124-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3148-131-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3156-183-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3352-85-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3392-110-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3420-289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3424-170-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3464-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3464-34-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3484-143-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3516-87-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3544-195-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3600-89-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3600-67-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3644-155-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3724-190-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3724-176-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3804-177-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3836-71-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3900-189-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3928-172-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/3928-150-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4020-118-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4196-136-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4232-69-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4240-141-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4256-173-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4256-153-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4264-166-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4268-100-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4308-149-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4316-92-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4316-114-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4332-73-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4352-91-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4428-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4428-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4428-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4428-25-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/4476-187-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4568-188-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4624-179-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4652-168-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4668-192-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4668-180-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4684-186-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4708-52-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4708-66-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4716-122-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4728-98-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4760-107-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4932-181-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4980-104-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/5000-164-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/5020-185-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/5024-80-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/5072-112-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/5096-147-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/5108-182-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/6576-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6696-241-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6848-251-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6952-261-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6984-314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7052-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/7140-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download