warzonerat | ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08

Analysis

max time kernel
132s
max time network
58s
platform
windows7_x64
resource
win7
submitted
06-07-2020 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe
Size

1.8MB
MD5

c8c500dafdfa5f1e0b9609a0de3ed0c2
SHA1

0188ba23e3ee0f74ad8a055a6474933c47eaa7e9
SHA256

ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08
SHA512

7cb27417cb1796978459161fd94bc067ce047b9bdc7886e8dab02f5ec59a21c3fc93c27c9b29f51e715df512cea75e91fe7b6273e94573b8d02130c369a3f93c

Score

10^/10

rat persistence evasion infostealer warzonerat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT Payload 266 IoCs

rat

resource	yara_rule
behavioral1/files/0x00040000000131c9-11.dat	warzonerat
behavioral1/files/0x00040000000131c9-13.dat	warzonerat
behavioral1/files/0x00040000000131c9-16.dat	warzonerat
behavioral1/files/0x00040000000131c9-19.dat	warzonerat
behavioral1/files/0x00040000000131c9-22.dat	warzonerat
behavioral1/files/0x00040000000131c4-24.dat	warzonerat
behavioral1/files/0x00050000000131c7-25.dat	warzonerat
behavioral1/files/0x00040000000131ca-32.dat	warzonerat
behavioral1/files/0x00040000000131ca-35.dat	warzonerat
behavioral1/files/0x00040000000131ca-33.dat	warzonerat
behavioral1/files/0x00040000000131ca-40.dat	warzonerat
behavioral1/files/0x00040000000131ca-42.dat	warzonerat
behavioral1/files/0x00040000000131ca-45.dat	warzonerat
behavioral1/files/0x00040000000131ca-48.dat	warzonerat
behavioral1/files/0x00040000000131ca-50.dat	warzonerat
behavioral1/files/0x00040000000131ca-53.dat	warzonerat
behavioral1/files/0x00040000000131ca-56.dat	warzonerat
behavioral1/files/0x00040000000131ca-58.dat	warzonerat
behavioral1/files/0x00040000000131ca-61.dat	warzonerat
behavioral1/files/0x00040000000131ca-64.dat	warzonerat
behavioral1/files/0x00040000000131ca-66.dat	warzonerat
behavioral1/files/0x00040000000131ca-69.dat	warzonerat
behavioral1/files/0x00040000000131ca-72.dat	warzonerat
behavioral1/files/0x00040000000131ca-74.dat	warzonerat
behavioral1/files/0x00040000000131ca-77.dat	warzonerat
behavioral1/files/0x00040000000131ca-80.dat	warzonerat
behavioral1/files/0x00040000000131ca-85.dat	warzonerat
behavioral1/files/0x00040000000131ca-82.dat	warzonerat
behavioral1/files/0x00040000000131ca-88.dat	warzonerat
behavioral1/files/0x00040000000131ca-90.dat	warzonerat
behavioral1/files/0x00040000000131ca-93.dat	warzonerat
behavioral1/files/0x00040000000131ca-96.dat	warzonerat
behavioral1/files/0x00040000000131ca-98.dat	warzonerat
behavioral1/files/0x00040000000131ca-101.dat	warzonerat
behavioral1/files/0x00040000000131ca-104.dat	warzonerat
behavioral1/files/0x00040000000131ca-106.dat	warzonerat
behavioral1/files/0x00040000000131ca-109.dat	warzonerat
behavioral1/files/0x00040000000131ca-112.dat	warzonerat
behavioral1/files/0x00040000000131ca-117.dat	warzonerat
behavioral1/files/0x00040000000131ca-114.dat	warzonerat
behavioral1/files/0x00040000000131ca-120.dat	warzonerat
behavioral1/files/0x00040000000131ca-122.dat	warzonerat
behavioral1/files/0x00040000000131ca-125.dat	warzonerat
behavioral1/files/0x00040000000131ca-128.dat	warzonerat
behavioral1/files/0x00040000000131ca-130.dat	warzonerat
behavioral1/files/0x00040000000131ca-133.dat	warzonerat
behavioral1/files/0x00040000000131ca-136.dat	warzonerat
behavioral1/files/0x00040000000131ca-138.dat	warzonerat
behavioral1/files/0x00040000000131ca-141.dat	warzonerat
behavioral1/files/0x00040000000131ca-144.dat	warzonerat
behavioral1/files/0x00040000000131ca-146.dat	warzonerat
behavioral1/files/0x00040000000131ca-149.dat	warzonerat
behavioral1/files/0x00040000000131ca-152.dat	warzonerat
behavioral1/files/0x00040000000131ca-157.dat	warzonerat
behavioral1/files/0x00040000000131ca-154.dat	warzonerat
behavioral1/files/0x00040000000131ca-160.dat	warzonerat
behavioral1/files/0x00040000000131ca-162.dat	warzonerat
behavioral1/files/0x00040000000131ca-165.dat	warzonerat
behavioral1/files/0x00040000000131ca-168.dat	warzonerat
behavioral1/files/0x00040000000131ca-170.dat	warzonerat
behavioral1/files/0x00040000000131ca-173.dat	warzonerat
behavioral1/files/0x00040000000131ca-176.dat	warzonerat
behavioral1/files/0x00040000000131ca-178.dat	warzonerat
behavioral1/files/0x00040000000131ca-181.dat	warzonerat
behavioral1/files/0x00040000000131ca-186.dat	warzonerat
behavioral1/files/0x00040000000131ca-184.dat	warzonerat
behavioral1/files/0x00040000000131ca-189.dat	warzonerat
behavioral1/files/0x00040000000131ca-192.dat	warzonerat
behavioral1/files/0x00040000000131ca-194.dat	warzonerat
behavioral1/files/0x00040000000131ca-197.dat	warzonerat
behavioral1/files/0x00040000000131ca-200.dat	warzonerat
behavioral1/files/0x00040000000131ca-202.dat	warzonerat
behavioral1/files/0x00040000000131ca-205.dat	warzonerat
behavioral1/files/0x00040000000131ca-208.dat	warzonerat
behavioral1/files/0x00040000000131ca-210.dat	warzonerat
behavioral1/files/0x00040000000131ca-213.dat	warzonerat
behavioral1/files/0x00040000000131ca-216.dat	warzonerat
behavioral1/files/0x00040000000131ca-218.dat	warzonerat
behavioral1/files/0x00040000000131ca-221.dat	warzonerat
behavioral1/files/0x00040000000131ca-224.dat	warzonerat
behavioral1/files/0x00040000000131ca-226.dat	warzonerat
behavioral1/files/0x00040000000131ca-229.dat	warzonerat
behavioral1/files/0x00040000000131ca-232.dat	warzonerat
behavioral1/files/0x00040000000131ca-234.dat	warzonerat
behavioral1/files/0x00040000000131ca-237.dat	warzonerat
behavioral1/files/0x00040000000131ca-240.dat	warzonerat
behavioral1/files/0x00040000000131ca-242.dat	warzonerat
behavioral1/files/0x00040000000131ca-245.dat	warzonerat
behavioral1/files/0x00040000000131ca-248.dat	warzonerat
behavioral1/files/0x00040000000131ca-250.dat	warzonerat
behavioral1/files/0x00040000000131ca-253.dat	warzonerat
behavioral1/files/0x00040000000131ca-256.dat	warzonerat
behavioral1/files/0x00040000000131ca-258.dat	warzonerat
behavioral1/files/0x00040000000131ca-261.dat	warzonerat
behavioral1/files/0x00040000000131ca-264.dat	warzonerat
behavioral1/files/0x00040000000131ca-266.dat	warzonerat
behavioral1/files/0x00040000000131ca-269.dat	warzonerat
behavioral1/files/0x00040000000131ca-272.dat	warzonerat
behavioral1/files/0x00040000000131ca-274.dat	warzonerat
behavioral1/files/0x00040000000131ca-277.dat	warzonerat
behavioral1/files/0x00040000000131ca-280.dat	warzonerat
behavioral1/files/0x00040000000131ca-282.dat	warzonerat
behavioral1/files/0x00040000000131ca-285.dat	warzonerat
behavioral1/files/0x00040000000131ca-288.dat	warzonerat
behavioral1/files/0x00040000000131ca-290.dat	warzonerat
behavioral1/files/0x00040000000131ca-293.dat	warzonerat
behavioral1/files/0x00040000000131ca-296.dat	warzonerat
behavioral1/files/0x00040000000131ca-298.dat	warzonerat
behavioral1/files/0x00040000000131ca-301.dat	warzonerat
behavioral1/files/0x00040000000131ca-304.dat	warzonerat
behavioral1/files/0x00040000000131ca-306.dat	warzonerat
behavioral1/files/0x00040000000131ca-309.dat	warzonerat
behavioral1/files/0x00040000000131ca-312.dat	warzonerat
behavioral1/files/0x00040000000131ca-314.dat	warzonerat
behavioral1/files/0x00040000000131ca-317.dat	warzonerat
behavioral1/files/0x00040000000131ca-320.dat	warzonerat
behavioral1/files/0x00040000000131ca-322.dat	warzonerat
behavioral1/files/0x00040000000131ca-325.dat	warzonerat
behavioral1/files/0x00040000000131ca-328.dat	warzonerat
behavioral1/files/0x00040000000131ca-330.dat	warzonerat
behavioral1/files/0x00040000000131ca-333.dat	warzonerat
behavioral1/files/0x00040000000131ca-336.dat	warzonerat
behavioral1/files/0x00040000000131ca-338.dat	warzonerat
behavioral1/files/0x00040000000131ca-341.dat	warzonerat
behavioral1/files/0x00040000000131ca-344.dat	warzonerat
behavioral1/files/0x00040000000131ca-346.dat	warzonerat
behavioral1/files/0x00040000000131ca-349.dat	warzonerat
behavioral1/files/0x00040000000131ca-352.dat	warzonerat
behavioral1/files/0x00040000000131ca-354.dat	warzonerat
behavioral1/files/0x00040000000131ca-357.dat	warzonerat
behavioral1/files/0x00040000000131ca-360.dat	warzonerat
behavioral1/files/0x00040000000131ca-365.dat	warzonerat
behavioral1/files/0x00040000000131ca-362.dat	warzonerat
behavioral1/files/0x00040000000131ca-368.dat	warzonerat
behavioral1/files/0x00040000000131ca-370.dat	warzonerat
behavioral1/files/0x00040000000131ca-373.dat	warzonerat
behavioral1/files/0x00040000000131ca-376.dat	warzonerat
behavioral1/files/0x00040000000131ca-378.dat	warzonerat
behavioral1/files/0x00040000000131ca-381.dat	warzonerat
behavioral1/files/0x00040000000131ca-384.dat	warzonerat
behavioral1/files/0x00040000000131ca-386.dat	warzonerat
behavioral1/files/0x00040000000131ca-389.dat	warzonerat
behavioral1/files/0x00040000000131ca-392.dat	warzonerat
behavioral1/files/0x00040000000131ca-394.dat	warzonerat
behavioral1/files/0x00040000000131ca-397.dat	warzonerat
behavioral1/files/0x00040000000131ca-400.dat	warzonerat
behavioral1/files/0x00040000000131ca-402.dat	warzonerat
behavioral1/files/0x00040000000131ca-405.dat	warzonerat
behavioral1/files/0x00040000000131ca-408.dat	warzonerat
behavioral1/files/0x00040000000131ca-410.dat	warzonerat
behavioral1/files/0x00040000000131ca-413.dat	warzonerat
behavioral1/files/0x00040000000131ca-416.dat	warzonerat
behavioral1/files/0x00040000000131ca-418.dat	warzonerat
behavioral1/files/0x00040000000131ca-421.dat	warzonerat
behavioral1/files/0x00040000000131ca-424.dat	warzonerat
behavioral1/files/0x00040000000131ca-426.dat	warzonerat
behavioral1/files/0x00040000000131ca-429.dat	warzonerat
behavioral1/files/0x00040000000131ca-432.dat	warzonerat
behavioral1/files/0x00040000000131ca-434.dat	warzonerat
behavioral1/files/0x00040000000131ca-437.dat	warzonerat
behavioral1/files/0x00040000000131ca-440.dat	warzonerat
behavioral1/files/0x00040000000131ca-442.dat	warzonerat
behavioral1/files/0x00040000000131ca-445.dat	warzonerat
behavioral1/files/0x00040000000131ca-448.dat	warzonerat
behavioral1/files/0x00040000000131ca-450.dat	warzonerat
behavioral1/files/0x00040000000131ca-453.dat	warzonerat
behavioral1/files/0x00040000000131ca-456.dat	warzonerat
behavioral1/files/0x00040000000131ca-458.dat	warzonerat
behavioral1/files/0x00040000000131ca-461.dat	warzonerat
behavioral1/files/0x00040000000131ca-464.dat	warzonerat
behavioral1/files/0x00040000000131ca-466.dat	warzonerat
behavioral1/files/0x00040000000131ca-469.dat	warzonerat
behavioral1/files/0x00040000000131ca-472.dat	warzonerat
behavioral1/files/0x00040000000131ca-474.dat	warzonerat
behavioral1/files/0x00040000000131ca-477.dat	warzonerat
behavioral1/files/0x00040000000131ca-480.dat	warzonerat
behavioral1/files/0x00040000000131ca-482.dat	warzonerat
behavioral1/files/0x00040000000131ca-485.dat	warzonerat
behavioral1/files/0x00040000000131ca-488.dat	warzonerat
behavioral1/files/0x00040000000131ca-490.dat	warzonerat
behavioral1/files/0x00040000000131ca-493.dat	warzonerat
behavioral1/files/0x00040000000131ca-496.dat	warzonerat
behavioral1/files/0x00040000000131ca-498.dat	warzonerat
behavioral1/files/0x00040000000131ca-501.dat	warzonerat
behavioral1/files/0x00040000000131ca-504.dat	warzonerat
behavioral1/files/0x00040000000131ca-506.dat	warzonerat
behavioral1/files/0x00040000000131ca-509.dat	warzonerat
behavioral1/files/0x00040000000131ca-512.dat	warzonerat
behavioral1/files/0x00040000000131ca-514.dat	warzonerat
behavioral1/files/0x00040000000131ca-517.dat	warzonerat
behavioral1/files/0x00040000000131ca-520.dat	warzonerat
behavioral1/files/0x00040000000131ca-522.dat	warzonerat
behavioral1/files/0x00040000000131ca-525.dat	warzonerat
behavioral1/files/0x00040000000131ca-528.dat	warzonerat
behavioral1/files/0x00040000000131ca-530.dat	warzonerat
behavioral1/files/0x00040000000131ca-533.dat	warzonerat
behavioral1/files/0x00040000000131ca-536.dat	warzonerat
behavioral1/files/0x00040000000131ca-538.dat	warzonerat
behavioral1/files/0x00040000000131ca-541.dat	warzonerat
behavioral1/files/0x00040000000131ca-544.dat	warzonerat
behavioral1/files/0x00040000000131ca-546.dat	warzonerat
behavioral1/files/0x00040000000131ca-549.dat	warzonerat
behavioral1/files/0x00040000000131ca-552.dat	warzonerat
behavioral1/files/0x00040000000131ca-554.dat	warzonerat
behavioral1/files/0x00040000000131ca-557.dat	warzonerat
behavioral1/files/0x00040000000131ca-560.dat	warzonerat
behavioral1/files/0x00040000000131ca-562.dat	warzonerat
behavioral1/files/0x00040000000131ca-565.dat	warzonerat
behavioral1/files/0x00040000000131ca-568.dat	warzonerat
behavioral1/files/0x00040000000131ca-570.dat	warzonerat
behavioral1/files/0x00040000000131ca-573.dat	warzonerat
behavioral1/files/0x00040000000131ca-576.dat	warzonerat
behavioral1/files/0x00040000000131ca-578.dat	warzonerat
behavioral1/files/0x00040000000131ca-581.dat	warzonerat
behavioral1/files/0x00040000000131ca-584.dat	warzonerat
behavioral1/files/0x00040000000131ca-586.dat	warzonerat
behavioral1/files/0x00040000000131ca-589.dat	warzonerat
behavioral1/files/0x00040000000131ca-592.dat	warzonerat
behavioral1/files/0x00040000000131ca-594.dat	warzonerat
behavioral1/files/0x00040000000131ca-597.dat	warzonerat
behavioral1/files/0x00040000000131ca-600.dat	warzonerat
behavioral1/files/0x00040000000131ca-602.dat	warzonerat
behavioral1/files/0x00040000000131ca-605.dat	warzonerat
behavioral1/files/0x00040000000131ca-608.dat	warzonerat
behavioral1/files/0x00040000000131ca-610.dat	warzonerat
behavioral1/files/0x00040000000131ca-613.dat	warzonerat
behavioral1/files/0x00040000000131ca-616.dat	warzonerat
behavioral1/files/0x00040000000131ca-618.dat	warzonerat
behavioral1/files/0x00040000000131ca-621.dat	warzonerat
behavioral1/files/0x00040000000131ca-624.dat	warzonerat
behavioral1/files/0x00040000000131ca-626.dat	warzonerat
behavioral1/files/0x00040000000131ca-629.dat	warzonerat
behavioral1/files/0x00040000000131ca-632.dat	warzonerat
behavioral1/files/0x00040000000131ca-634.dat	warzonerat
behavioral1/files/0x00040000000131ca-637.dat	warzonerat
behavioral1/files/0x00040000000131ca-640.dat	warzonerat
behavioral1/files/0x00040000000131ca-642.dat	warzonerat
behavioral1/files/0x00040000000131ca-645.dat	warzonerat
behavioral1/files/0x00040000000131ca-648.dat	warzonerat
behavioral1/files/0x00040000000131ca-653.dat	warzonerat
behavioral1/files/0x00040000000131ca-650.dat	warzonerat
behavioral1/files/0x00040000000131ca-656.dat	warzonerat
behavioral1/files/0x00040000000131ca-658.dat	warzonerat
behavioral1/files/0x00040000000131ca-661.dat	warzonerat
behavioral1/files/0x00040000000131ca-664.dat	warzonerat
behavioral1/files/0x00040000000131ca-666.dat	warzonerat
behavioral1/files/0x00040000000131ca-669.dat	warzonerat
behavioral1/files/0x00040000000131ca-672.dat	warzonerat
behavioral1/files/0x00040000000131ca-674.dat	warzonerat
behavioral1/files/0x00040000000131ca-677.dat	warzonerat
behavioral1/files/0x00040000000131ca-680.dat	warzonerat
behavioral1/files/0x00040000000131ca-682.dat	warzonerat
behavioral1/files/0x00040000000131ca-685.dat	warzonerat
behavioral1/files/0x00040000000131ca-688.dat	warzonerat
behavioral1/files/0x00040000000131ca-690.dat	warzonerat
behavioral1/files/0x00040000000131ca-693.dat	warzonerat
behavioral1/files/0x00040000000131ca-696.dat	warzonerat
behavioral1/files/0x00040000000131ca-698.dat	warzonerat
behavioral1/files/0x00040000000131ca-701.dat	warzonerat
behavioral1/files/0x00040000000131ca-702.dat	warzonerat
behavioral1/files/0x00040000000131ca-711.dat	warzonerat
behavioral1/files/0x00040000000131ca-714.dat	warzonerat
behavioral1/files/0x00040000000131ca-725.dat	warzonerat
behavioral1/files/0x00040000000131ca-723.dat	warzonerat
behavioral1/files/0x00040000000131ca-728.dat	warzonerat
behavioral1/files/0x00040000000131ca-736.dat	warzonerat

Executes dropped EXE 92 IoCs

pid	Process
1080	explorer.exe
1548	explorer.exe
1972	spoolsv.exe
2028	spoolsv.exe
1992	spoolsv.exe
1892	spoolsv.exe
272	spoolsv.exe
1472	spoolsv.exe
676	spoolsv.exe
1280	spoolsv.exe
1836	spoolsv.exe
548	spoolsv.exe
1076	spoolsv.exe
2044	spoolsv.exe
1476	spoolsv.exe
1372	spoolsv.exe
1944	spoolsv.exe
1920	spoolsv.exe
1996	spoolsv.exe
1872	spoolsv.exe
820	spoolsv.exe
1312	spoolsv.exe
1168	spoolsv.exe
1424	spoolsv.exe
1512	spoolsv.exe
1388	spoolsv.exe
1532	spoolsv.exe
1936	spoolsv.exe
2000	spoolsv.exe
1052	spoolsv.exe
1088	spoolsv.exe
760	spoolsv.exe
1496	spoolsv.exe
1252	spoolsv.exe
1436	spoolsv.exe
1672	spoolsv.exe
1572	spoolsv.exe
1104	spoolsv.exe
1524	spoolsv.exe
804	spoolsv.exe
1400	spoolsv.exe
468	spoolsv.exe
788	spoolsv.exe
1340	spoolsv.exe
1904	spoolsv.exe
1404	spoolsv.exe
1492	spoolsv.exe
1684	spoolsv.exe
656	spoolsv.exe
1268	spoolsv.exe
1060	spoolsv.exe
848	spoolsv.exe
1916	spoolsv.exe
2024	spoolsv.exe
316	spoolsv.exe
1364	spoolsv.exe
380	spoolsv.exe
1080	spoolsv.exe
1832	spoolsv.exe
1680	spoolsv.exe
1924	spoolsv.exe
744	spoolsv.exe
884	spoolsv.exe
1640	spoolsv.exe
2004	spoolsv.exe
1428	spoolsv.exe
1688	spoolsv.exe
1520	spoolsv.exe
1508	spoolsv.exe
1392	spoolsv.exe
1908	spoolsv.exe
616	spoolsv.exe
512	spoolsv.exe
916	spoolsv.exe
1420	spoolsv.exe
944	spoolsv.exe
984	spoolsv.exe
644	spoolsv.exe
1012	spoolsv.exe
432	spoolsv.exe
588	spoolsv.exe
1288	spoolsv.exe
1464	spoolsv.exe
1236	spoolsv.exe
1772	spoolsv.exe
1736	spoolsv.exe
2092	spoolsv.exe
2124	spoolsv.exe
2188	spoolsv.exe
2240	spoolsv.exe
2264	spoolsv.exe
2280	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 179 IoCs

pid	Process
828	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe
828	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1972	spoolsv.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1992	spoolsv.exe
2028	spoolsv.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 1424 set thread context of 828	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	24
PID 1424 set thread context of 480	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	25
PID 1080 set thread context of 1548	1080	explorer.exe	29
PID 1080 set thread context of 1912	1080	explorer.exe	30
PID 1972 set thread context of 2124	1972	spoolsv.exe	116
PID 1972 set thread context of 2148	1972	spoolsv.exe	117
PID 1992 set thread context of 2264	1992	spoolsv.exe	120
PID 2028 set thread context of 2280	2028	spoolsv.exe	121

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 88 IoCs

pid	Process
828	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
828	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe
828	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
1548	explorer.exe
2124	spoolsv.exe
2124	spoolsv.exe

Suspicious use of WriteProcessMemory 415 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 828	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	24
PID 1424 wrote to memory of 828	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	24
PID 1424 wrote to memory of 828	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	24
PID 1424 wrote to memory of 828	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	24
PID 1424 wrote to memory of 828	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	24
PID 1424 wrote to memory of 828	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	24
PID 1424 wrote to memory of 828	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	24
PID 1424 wrote to memory of 828	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	24
PID 1424 wrote to memory of 828	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	24
PID 1424 wrote to memory of 480	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	25
PID 1424 wrote to memory of 480	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	25
PID 1424 wrote to memory of 480	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	25
PID 1424 wrote to memory of 480	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	25
PID 1424 wrote to memory of 480	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	25
PID 1424 wrote to memory of 480	1424	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	25
PID 828 wrote to memory of 1080	828	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	26
PID 828 wrote to memory of 1080	828	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	26
PID 828 wrote to memory of 1080	828	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	26
PID 828 wrote to memory of 1080	828	ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe	26
PID 1080 wrote to memory of 1548	1080	explorer.exe	29
PID 1080 wrote to memory of 1548	1080	explorer.exe	29
PID 1080 wrote to memory of 1548	1080	explorer.exe	29
PID 1080 wrote to memory of 1548	1080	explorer.exe	29
PID 1080 wrote to memory of 1548	1080	explorer.exe	29
PID 1080 wrote to memory of 1548	1080	explorer.exe	29
PID 1080 wrote to memory of 1548	1080	explorer.exe	29
PID 1080 wrote to memory of 1548	1080	explorer.exe	29
PID 1080 wrote to memory of 1548	1080	explorer.exe	29
PID 1080 wrote to memory of 1912	1080	explorer.exe	30
PID 1080 wrote to memory of 1912	1080	explorer.exe	30
PID 1080 wrote to memory of 1912	1080	explorer.exe	30
PID 1080 wrote to memory of 1912	1080	explorer.exe	30
PID 1080 wrote to memory of 1912	1080	explorer.exe	30
PID 1080 wrote to memory of 1912	1080	explorer.exe	30
PID 1548 wrote to memory of 1972	1548	explorer.exe	31
PID 1548 wrote to memory of 1972	1548	explorer.exe	31
PID 1548 wrote to memory of 1972	1548	explorer.exe	31
PID 1548 wrote to memory of 1972	1548	explorer.exe	31
PID 1548 wrote to memory of 2028	1548	explorer.exe	32
PID 1548 wrote to memory of 2028	1548	explorer.exe	32
PID 1548 wrote to memory of 2028	1548	explorer.exe	32
PID 1548 wrote to memory of 2028	1548	explorer.exe	32
PID 1548 wrote to memory of 1992	1548	explorer.exe	33
PID 1548 wrote to memory of 1992	1548	explorer.exe	33
PID 1548 wrote to memory of 1992	1548	explorer.exe	33
PID 1548 wrote to memory of 1992	1548	explorer.exe	33
PID 1548 wrote to memory of 1892	1548	explorer.exe	34
PID 1548 wrote to memory of 1892	1548	explorer.exe	34
PID 1548 wrote to memory of 1892	1548	explorer.exe	34
PID 1548 wrote to memory of 1892	1548	explorer.exe	34
PID 1548 wrote to memory of 272	1548	explorer.exe	35
PID 1548 wrote to memory of 272	1548	explorer.exe	35
PID 1548 wrote to memory of 272	1548	explorer.exe	35
PID 1548 wrote to memory of 272	1548	explorer.exe	35
PID 1548 wrote to memory of 1472	1548	explorer.exe	36
PID 1548 wrote to memory of 1472	1548	explorer.exe	36
PID 1548 wrote to memory of 1472	1548	explorer.exe	36
PID 1548 wrote to memory of 1472	1548	explorer.exe	36
PID 1548 wrote to memory of 676	1548	explorer.exe	37
PID 1548 wrote to memory of 676	1548	explorer.exe	37
PID 1548 wrote to memory of 676	1548	explorer.exe	37
PID 1548 wrote to memory of 676	1548	explorer.exe	37
PID 1548 wrote to memory of 1280	1548	explorer.exe	38
PID 1548 wrote to memory of 1280	1548	explorer.exe	38
PID 1548 wrote to memory of 1280	1548	explorer.exe	38
PID 1548 wrote to memory of 1280	1548	explorer.exe	38
PID 1548 wrote to memory of 1836	1548	explorer.exe	39
PID 1548 wrote to memory of 1836	1548	explorer.exe	39
PID 1548 wrote to memory of 1836	1548	explorer.exe	39
PID 1548 wrote to memory of 1836	1548	explorer.exe	39
PID 1548 wrote to memory of 548	1548	explorer.exe	40
PID 1548 wrote to memory of 548	1548	explorer.exe	40
PID 1548 wrote to memory of 548	1548	explorer.exe	40
PID 1548 wrote to memory of 548	1548	explorer.exe	40
PID 1548 wrote to memory of 1076	1548	explorer.exe	41
PID 1548 wrote to memory of 1076	1548	explorer.exe	41
PID 1548 wrote to memory of 1076	1548	explorer.exe	41
PID 1548 wrote to memory of 1076	1548	explorer.exe	41
PID 1548 wrote to memory of 2044	1548	explorer.exe	42
PID 1548 wrote to memory of 2044	1548	explorer.exe	42
PID 1548 wrote to memory of 2044	1548	explorer.exe	42
PID 1548 wrote to memory of 2044	1548	explorer.exe	42
PID 1548 wrote to memory of 1476	1548	explorer.exe	43
PID 1548 wrote to memory of 1476	1548	explorer.exe	43
PID 1548 wrote to memory of 1476	1548	explorer.exe	43
PID 1548 wrote to memory of 1476	1548	explorer.exe	43
PID 1548 wrote to memory of 1372	1548	explorer.exe	44
PID 1548 wrote to memory of 1372	1548	explorer.exe	44
PID 1548 wrote to memory of 1372	1548	explorer.exe	44
PID 1548 wrote to memory of 1372	1548	explorer.exe	44
PID 1548 wrote to memory of 1944	1548	explorer.exe	45
PID 1548 wrote to memory of 1944	1548	explorer.exe	45
PID 1548 wrote to memory of 1944	1548	explorer.exe	45
PID 1548 wrote to memory of 1944	1548	explorer.exe	45
PID 1548 wrote to memory of 1920	1548	explorer.exe	46
PID 1548 wrote to memory of 1920	1548	explorer.exe	46
PID 1548 wrote to memory of 1920	1548	explorer.exe	46
PID 1548 wrote to memory of 1920	1548	explorer.exe	46
PID 1548 wrote to memory of 1996	1548	explorer.exe	47
PID 1548 wrote to memory of 1996	1548	explorer.exe	47
PID 1548 wrote to memory of 1996	1548	explorer.exe	47
PID 1548 wrote to memory of 1996	1548	explorer.exe	47
PID 1548 wrote to memory of 1872	1548	explorer.exe	48
PID 1548 wrote to memory of 1872	1548	explorer.exe	48
PID 1548 wrote to memory of 1872	1548	explorer.exe	48
PID 1548 wrote to memory of 1872	1548	explorer.exe	48
PID 1548 wrote to memory of 820	1548	explorer.exe	49
PID 1548 wrote to memory of 820	1548	explorer.exe	49
PID 1548 wrote to memory of 820	1548	explorer.exe	49
PID 1548 wrote to memory of 820	1548	explorer.exe	49
PID 1548 wrote to memory of 1312	1548	explorer.exe	50
PID 1548 wrote to memory of 1312	1548	explorer.exe	50
PID 1548 wrote to memory of 1312	1548	explorer.exe	50
PID 1548 wrote to memory of 1312	1548	explorer.exe	50
PID 1548 wrote to memory of 1168	1548	explorer.exe	51
PID 1548 wrote to memory of 1168	1548	explorer.exe	51
PID 1548 wrote to memory of 1168	1548	explorer.exe	51
PID 1548 wrote to memory of 1168	1548	explorer.exe	51
PID 1548 wrote to memory of 1424	1548	explorer.exe	52
PID 1548 wrote to memory of 1424	1548	explorer.exe	52
PID 1548 wrote to memory of 1424	1548	explorer.exe	52
PID 1548 wrote to memory of 1424	1548	explorer.exe	52
PID 1548 wrote to memory of 1512	1548	explorer.exe	53
PID 1548 wrote to memory of 1512	1548	explorer.exe	53
PID 1548 wrote to memory of 1512	1548	explorer.exe	53
PID 1548 wrote to memory of 1512	1548	explorer.exe	53
PID 1548 wrote to memory of 1388	1548	explorer.exe	54
PID 1548 wrote to memory of 1388	1548	explorer.exe	54
PID 1548 wrote to memory of 1388	1548	explorer.exe	54
PID 1548 wrote to memory of 1388	1548	explorer.exe	54
PID 1548 wrote to memory of 1532	1548	explorer.exe	55
PID 1548 wrote to memory of 1532	1548	explorer.exe	55
PID 1548 wrote to memory of 1532	1548	explorer.exe	55
PID 1548 wrote to memory of 1532	1548	explorer.exe	55
PID 1548 wrote to memory of 1936	1548	explorer.exe	56
PID 1548 wrote to memory of 1936	1548	explorer.exe	56
PID 1548 wrote to memory of 1936	1548	explorer.exe	56
PID 1548 wrote to memory of 1936	1548	explorer.exe	56
PID 1548 wrote to memory of 2000	1548	explorer.exe	57
PID 1548 wrote to memory of 2000	1548	explorer.exe	57
PID 1548 wrote to memory of 2000	1548	explorer.exe	57
PID 1548 wrote to memory of 2000	1548	explorer.exe	57
PID 1548 wrote to memory of 1052	1548	explorer.exe	58
PID 1548 wrote to memory of 1052	1548	explorer.exe	58
PID 1548 wrote to memory of 1052	1548	explorer.exe	58
PID 1548 wrote to memory of 1052	1548	explorer.exe	58
PID 1548 wrote to memory of 1088	1548	explorer.exe	59
PID 1548 wrote to memory of 1088	1548	explorer.exe	59
PID 1548 wrote to memory of 1088	1548	explorer.exe	59
PID 1548 wrote to memory of 1088	1548	explorer.exe	59
PID 1548 wrote to memory of 760	1548	explorer.exe	60
PID 1548 wrote to memory of 760	1548	explorer.exe	60
PID 1548 wrote to memory of 760	1548	explorer.exe	60
PID 1548 wrote to memory of 760	1548	explorer.exe	60
PID 1548 wrote to memory of 1496	1548	explorer.exe	61
PID 1548 wrote to memory of 1496	1548	explorer.exe	61
PID 1548 wrote to memory of 1496	1548	explorer.exe	61
PID 1548 wrote to memory of 1496	1548	explorer.exe	61
PID 1548 wrote to memory of 1252	1548	explorer.exe	62
PID 1548 wrote to memory of 1252	1548	explorer.exe	62
PID 1548 wrote to memory of 1252	1548	explorer.exe	62
PID 1548 wrote to memory of 1252	1548	explorer.exe	62
PID 1548 wrote to memory of 1436	1548	explorer.exe	63
PID 1548 wrote to memory of 1436	1548	explorer.exe	63
PID 1548 wrote to memory of 1436	1548	explorer.exe	63
PID 1548 wrote to memory of 1436	1548	explorer.exe	63
PID 1548 wrote to memory of 1672	1548	explorer.exe	64
PID 1548 wrote to memory of 1672	1548	explorer.exe	64
PID 1548 wrote to memory of 1672	1548	explorer.exe	64
PID 1548 wrote to memory of 1672	1548	explorer.exe	64
PID 1548 wrote to memory of 1572	1548	explorer.exe	65
PID 1548 wrote to memory of 1572	1548	explorer.exe	65
PID 1548 wrote to memory of 1572	1548	explorer.exe	65
PID 1548 wrote to memory of 1572	1548	explorer.exe	65
PID 1548 wrote to memory of 1104	1548	explorer.exe	66
PID 1548 wrote to memory of 1104	1548	explorer.exe	66
PID 1548 wrote to memory of 1104	1548	explorer.exe	66
PID 1548 wrote to memory of 1104	1548	explorer.exe	66
PID 1548 wrote to memory of 1524	1548	explorer.exe	67
PID 1548 wrote to memory of 1524	1548	explorer.exe	67
PID 1548 wrote to memory of 1524	1548	explorer.exe	67
PID 1548 wrote to memory of 1524	1548	explorer.exe	67
PID 1548 wrote to memory of 804	1548	explorer.exe	68
PID 1548 wrote to memory of 804	1548	explorer.exe	68
PID 1548 wrote to memory of 804	1548	explorer.exe	68
PID 1548 wrote to memory of 804	1548	explorer.exe	68
PID 1548 wrote to memory of 1400	1548	explorer.exe	69
PID 1548 wrote to memory of 1400	1548	explorer.exe	69
PID 1548 wrote to memory of 1400	1548	explorer.exe	69
PID 1548 wrote to memory of 1400	1548	explorer.exe	69
PID 1548 wrote to memory of 468	1548	explorer.exe	70
PID 1548 wrote to memory of 468	1548	explorer.exe	70
PID 1548 wrote to memory of 468	1548	explorer.exe	70
PID 1548 wrote to memory of 468	1548	explorer.exe	70
PID 1548 wrote to memory of 788	1548	explorer.exe	71
PID 1548 wrote to memory of 788	1548	explorer.exe	71
PID 1548 wrote to memory of 788	1548	explorer.exe	71
PID 1548 wrote to memory of 788	1548	explorer.exe	71
PID 1548 wrote to memory of 1340	1548	explorer.exe	72
PID 1548 wrote to memory of 1340	1548	explorer.exe	72
PID 1548 wrote to memory of 1340	1548	explorer.exe	72
PID 1548 wrote to memory of 1340	1548	explorer.exe	72
PID 1548 wrote to memory of 1904	1548	explorer.exe	73
PID 1548 wrote to memory of 1904	1548	explorer.exe	73
PID 1548 wrote to memory of 1904	1548	explorer.exe	73
PID 1548 wrote to memory of 1904	1548	explorer.exe	73
PID 1548 wrote to memory of 1404	1548	explorer.exe	74
PID 1548 wrote to memory of 1404	1548	explorer.exe	74
PID 1548 wrote to memory of 1404	1548	explorer.exe	74
PID 1548 wrote to memory of 1404	1548	explorer.exe	74
PID 1548 wrote to memory of 1492	1548	explorer.exe	75
PID 1548 wrote to memory of 1492	1548	explorer.exe	75
PID 1548 wrote to memory of 1492	1548	explorer.exe	75
PID 1548 wrote to memory of 1492	1548	explorer.exe	75
PID 1548 wrote to memory of 1684	1548	explorer.exe	76
PID 1548 wrote to memory of 1684	1548	explorer.exe	76
PID 1548 wrote to memory of 1684	1548	explorer.exe	76
PID 1548 wrote to memory of 1684	1548	explorer.exe	76
PID 1548 wrote to memory of 656	1548	explorer.exe	77
PID 1548 wrote to memory of 656	1548	explorer.exe	77
PID 1548 wrote to memory of 656	1548	explorer.exe	77
PID 1548 wrote to memory of 656	1548	explorer.exe	77
PID 1548 wrote to memory of 1268	1548	explorer.exe	78
PID 1548 wrote to memory of 1268	1548	explorer.exe	78
PID 1548 wrote to memory of 1268	1548	explorer.exe	78
PID 1548 wrote to memory of 1268	1548	explorer.exe	78
PID 1548 wrote to memory of 1060	1548	explorer.exe	79
PID 1548 wrote to memory of 1060	1548	explorer.exe	79
PID 1548 wrote to memory of 1060	1548	explorer.exe	79
PID 1548 wrote to memory of 1060	1548	explorer.exe	79
PID 1548 wrote to memory of 848	1548	explorer.exe	80
PID 1548 wrote to memory of 848	1548	explorer.exe	80
PID 1548 wrote to memory of 848	1548	explorer.exe	80
PID 1548 wrote to memory of 848	1548	explorer.exe	80
PID 1548 wrote to memory of 1916	1548	explorer.exe	81
PID 1548 wrote to memory of 1916	1548	explorer.exe	81
PID 1548 wrote to memory of 1916	1548	explorer.exe	81
PID 1548 wrote to memory of 1916	1548	explorer.exe	81
PID 1548 wrote to memory of 2024	1548	explorer.exe	82
PID 1548 wrote to memory of 2024	1548	explorer.exe	82
PID 1548 wrote to memory of 2024	1548	explorer.exe	82
PID 1548 wrote to memory of 2024	1548	explorer.exe	82
PID 1548 wrote to memory of 316	1548	explorer.exe	83
PID 1548 wrote to memory of 316	1548	explorer.exe	83
PID 1548 wrote to memory of 316	1548	explorer.exe	83
PID 1548 wrote to memory of 316	1548	explorer.exe	83
PID 1548 wrote to memory of 1364	1548	explorer.exe	84
PID 1548 wrote to memory of 1364	1548	explorer.exe	84
PID 1548 wrote to memory of 1364	1548	explorer.exe	84
PID 1548 wrote to memory of 1364	1548	explorer.exe	84
PID 1548 wrote to memory of 380	1548	explorer.exe	85
PID 1548 wrote to memory of 380	1548	explorer.exe	85
PID 1548 wrote to memory of 380	1548	explorer.exe	85
PID 1548 wrote to memory of 380	1548	explorer.exe	85
PID 1548 wrote to memory of 1080	1548	explorer.exe	86
PID 1548 wrote to memory of 1080	1548	explorer.exe	86
PID 1548 wrote to memory of 1080	1548	explorer.exe	86
PID 1548 wrote to memory of 1080	1548	explorer.exe	86
PID 1548 wrote to memory of 1832	1548	explorer.exe	87
PID 1548 wrote to memory of 1832	1548	explorer.exe	87
PID 1548 wrote to memory of 1832	1548	explorer.exe	87
PID 1548 wrote to memory of 1832	1548	explorer.exe	87
PID 1548 wrote to memory of 1680	1548	explorer.exe	88
PID 1548 wrote to memory of 1680	1548	explorer.exe	88
PID 1548 wrote to memory of 1680	1548	explorer.exe	88
PID 1548 wrote to memory of 1680	1548	explorer.exe	88
PID 1548 wrote to memory of 1924	1548	explorer.exe	89
PID 1548 wrote to memory of 1924	1548	explorer.exe	89
PID 1548 wrote to memory of 1924	1548	explorer.exe	89
PID 1548 wrote to memory of 1924	1548	explorer.exe	89
PID 1548 wrote to memory of 744	1548	explorer.exe	90
PID 1548 wrote to memory of 744	1548	explorer.exe	90
PID 1548 wrote to memory of 744	1548	explorer.exe	90
PID 1548 wrote to memory of 744	1548	explorer.exe	90
PID 1548 wrote to memory of 884	1548	explorer.exe	91
PID 1548 wrote to memory of 884	1548	explorer.exe	91
PID 1548 wrote to memory of 884	1548	explorer.exe	91
PID 1548 wrote to memory of 884	1548	explorer.exe	91
PID 1548 wrote to memory of 1640	1548	explorer.exe	92
PID 1548 wrote to memory of 1640	1548	explorer.exe	92
PID 1548 wrote to memory of 1640	1548	explorer.exe	92
PID 1548 wrote to memory of 1640	1548	explorer.exe	92
PID 1548 wrote to memory of 2004	1548	explorer.exe	93
PID 1548 wrote to memory of 2004	1548	explorer.exe	93
PID 1548 wrote to memory of 2004	1548	explorer.exe	93
PID 1548 wrote to memory of 2004	1548	explorer.exe	93
PID 1548 wrote to memory of 1428	1548	explorer.exe	94
PID 1548 wrote to memory of 1428	1548	explorer.exe	94
PID 1548 wrote to memory of 1428	1548	explorer.exe	94
PID 1548 wrote to memory of 1428	1548	explorer.exe	94
PID 1548 wrote to memory of 1688	1548	explorer.exe	95
PID 1548 wrote to memory of 1688	1548	explorer.exe	95
PID 1548 wrote to memory of 1688	1548	explorer.exe	95
PID 1548 wrote to memory of 1688	1548	explorer.exe	95
PID 1548 wrote to memory of 1520	1548	explorer.exe	96
PID 1548 wrote to memory of 1520	1548	explorer.exe	96
PID 1548 wrote to memory of 1520	1548	explorer.exe	96
PID 1548 wrote to memory of 1520	1548	explorer.exe	96
PID 1548 wrote to memory of 1508	1548	explorer.exe	97
PID 1548 wrote to memory of 1508	1548	explorer.exe	97
PID 1548 wrote to memory of 1508	1548	explorer.exe	97
PID 1548 wrote to memory of 1508	1548	explorer.exe	97
PID 1548 wrote to memory of 1392	1548	explorer.exe	98
PID 1548 wrote to memory of 1392	1548	explorer.exe	98
PID 1548 wrote to memory of 1392	1548	explorer.exe	98
PID 1548 wrote to memory of 1392	1548	explorer.exe	98
PID 1548 wrote to memory of 1908	1548	explorer.exe	99
PID 1548 wrote to memory of 1908	1548	explorer.exe	99
PID 1548 wrote to memory of 1908	1548	explorer.exe	99
PID 1548 wrote to memory of 1908	1548	explorer.exe	99
PID 1548 wrote to memory of 616	1548	explorer.exe	100
PID 1548 wrote to memory of 616	1548	explorer.exe	100
PID 1548 wrote to memory of 616	1548	explorer.exe	100
PID 1548 wrote to memory of 616	1548	explorer.exe	100
PID 1548 wrote to memory of 512	1548	explorer.exe	101
PID 1548 wrote to memory of 512	1548	explorer.exe	101
PID 1548 wrote to memory of 512	1548	explorer.exe	101
PID 1548 wrote to memory of 512	1548	explorer.exe	101
PID 1548 wrote to memory of 916	1548	explorer.exe	102
PID 1548 wrote to memory of 916	1548	explorer.exe	102
PID 1548 wrote to memory of 916	1548	explorer.exe	102
PID 1548 wrote to memory of 916	1548	explorer.exe	102
PID 1548 wrote to memory of 1420	1548	explorer.exe	103
PID 1548 wrote to memory of 1420	1548	explorer.exe	103
PID 1548 wrote to memory of 1420	1548	explorer.exe	103
PID 1548 wrote to memory of 1420	1548	explorer.exe	103
PID 1548 wrote to memory of 944	1548	explorer.exe	104
PID 1548 wrote to memory of 944	1548	explorer.exe	104
PID 1548 wrote to memory of 944	1548	explorer.exe	104
PID 1548 wrote to memory of 944	1548	explorer.exe	104
PID 1548 wrote to memory of 984	1548	explorer.exe	105
PID 1548 wrote to memory of 984	1548	explorer.exe	105
PID 1548 wrote to memory of 984	1548	explorer.exe	105
PID 1548 wrote to memory of 984	1548	explorer.exe	105
PID 1548 wrote to memory of 644	1548	explorer.exe	106
PID 1548 wrote to memory of 644	1548	explorer.exe	106
PID 1548 wrote to memory of 644	1548	explorer.exe	106
PID 1548 wrote to memory of 644	1548	explorer.exe	106
PID 1548 wrote to memory of 1012	1548	explorer.exe	107
PID 1548 wrote to memory of 1012	1548	explorer.exe	107
PID 1548 wrote to memory of 1012	1548	explorer.exe	107
PID 1548 wrote to memory of 1012	1548	explorer.exe	107
PID 1548 wrote to memory of 432	1548	explorer.exe	108
PID 1548 wrote to memory of 432	1548	explorer.exe	108
PID 1548 wrote to memory of 432	1548	explorer.exe	108
PID 1548 wrote to memory of 432	1548	explorer.exe	108
PID 1548 wrote to memory of 588	1548	explorer.exe	109
PID 1548 wrote to memory of 588	1548	explorer.exe	109
PID 1548 wrote to memory of 588	1548	explorer.exe	109
PID 1548 wrote to memory of 588	1548	explorer.exe	109
PID 1548 wrote to memory of 1288	1548	explorer.exe	110
PID 1548 wrote to memory of 1288	1548	explorer.exe	110
PID 1548 wrote to memory of 1288	1548	explorer.exe	110
PID 1548 wrote to memory of 1288	1548	explorer.exe	110
PID 1548 wrote to memory of 1464	1548	explorer.exe	111
PID 1548 wrote to memory of 1464	1548	explorer.exe	111
PID 1548 wrote to memory of 1464	1548	explorer.exe	111
PID 1548 wrote to memory of 1464	1548	explorer.exe	111
PID 1548 wrote to memory of 1236	1548	explorer.exe	112
PID 1548 wrote to memory of 1236	1548	explorer.exe	112
PID 1548 wrote to memory of 1236	1548	explorer.exe	112
PID 1548 wrote to memory of 1236	1548	explorer.exe	112
PID 1548 wrote to memory of 1772	1548	explorer.exe	113
PID 1548 wrote to memory of 1772	1548	explorer.exe	113
PID 1548 wrote to memory of 1772	1548	explorer.exe	113
PID 1548 wrote to memory of 1772	1548	explorer.exe	113
PID 1548 wrote to memory of 1736	1548	explorer.exe	114
PID 1548 wrote to memory of 1736	1548	explorer.exe	114
PID 1548 wrote to memory of 1736	1548	explorer.exe	114
PID 1548 wrote to memory of 1736	1548	explorer.exe	114
PID 1548 wrote to memory of 2092	1548	explorer.exe	115
PID 1548 wrote to memory of 2092	1548	explorer.exe	115
PID 1548 wrote to memory of 2092	1548	explorer.exe	115
PID 1548 wrote to memory of 2092	1548	explorer.exe	115
PID 1972 wrote to memory of 2124	1972	spoolsv.exe	116
PID 1972 wrote to memory of 2124	1972	spoolsv.exe	116
PID 1972 wrote to memory of 2124	1972	spoolsv.exe	116
PID 1972 wrote to memory of 2124	1972	spoolsv.exe	116
PID 1972 wrote to memory of 2124	1972	spoolsv.exe	116
PID 1972 wrote to memory of 2124	1972	spoolsv.exe	116
PID 1972 wrote to memory of 2124	1972	spoolsv.exe	116
PID 1972 wrote to memory of 2124	1972	spoolsv.exe	116
PID 1972 wrote to memory of 2124	1972	spoolsv.exe	116
PID 1972 wrote to memory of 2148	1972	spoolsv.exe	117
PID 1972 wrote to memory of 2148	1972	spoolsv.exe	117
PID 1972 wrote to memory of 2148	1972	spoolsv.exe	117
PID 1972 wrote to memory of 2148	1972	spoolsv.exe	117
PID 1972 wrote to memory of 2148	1972	spoolsv.exe	117
PID 1972 wrote to memory of 2148	1972	spoolsv.exe	117
PID 1548 wrote to memory of 2188	1548	explorer.exe	118
PID 1548 wrote to memory of 2188	1548	explorer.exe	118
PID 1548 wrote to memory of 2188	1548	explorer.exe	118
PID 1548 wrote to memory of 2188	1548	explorer.exe	118
PID 1992 wrote to memory of 2264	1992	spoolsv.exe	120
PID 1992 wrote to memory of 2264	1992	spoolsv.exe	120
PID 1992 wrote to memory of 2264	1992	spoolsv.exe	120
PID 1992 wrote to memory of 2264	1992	spoolsv.exe	120
PID 1548 wrote to memory of 2240	1548	explorer.exe	119
PID 1548 wrote to memory of 2240	1548	explorer.exe	119
PID 1548 wrote to memory of 2240	1548	explorer.exe	119
PID 1548 wrote to memory of 2240	1548	explorer.exe	119
PID 1992 wrote to memory of 2264	1992	spoolsv.exe	120
PID 1992 wrote to memory of 2264	1992	spoolsv.exe	120
PID 1992 wrote to memory of 2264	1992	spoolsv.exe	120
PID 1992 wrote to memory of 2264	1992	spoolsv.exe	120
PID 1992 wrote to memory of 2264	1992	spoolsv.exe	120
PID 2028 wrote to memory of 2280	2028	spoolsv.exe	121
PID 2028 wrote to memory of 2280	2028	spoolsv.exe	121
PID 2028 wrote to memory of 2280	2028	spoolsv.exe	121
PID 2028 wrote to memory of 2280	2028	spoolsv.exe	121
PID 2028 wrote to memory of 2280	2028	spoolsv.exe	121
PID 2028 wrote to memory of 2280	2028	spoolsv.exe	121
PID 2028 wrote to memory of 2280	2028	spoolsv.exe	121
PID 2028 wrote to memory of 2280	2028	spoolsv.exe	121
PID 2028 wrote to memory of 2280	2028	spoolsv.exe	121

C:\Users\Admin\AppData\Local\Temp\ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe
"C:\Users\Admin\AppData\Local\Temp\ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe
  "C:\Users\Admin\AppData\Local\Temp\ac0841f157fd3662fe4035ff5f1df319ff1442d9de50fc066bb555ffcd6aee08.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:828
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1972
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2124
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2148
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2028
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1992
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        6⤵
        
        PID:2264
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1892
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:272
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1472
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:676
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1280
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1836
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:548
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1076
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2044
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1476
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1372
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1920
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1996
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1872
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:820
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1312
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1168
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1424
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1388
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1532
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1936
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2000
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1052
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1088
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:760
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1496
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1252
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1436
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1672
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1572
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1104
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1524
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:804
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1400
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:468
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:788
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1340
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1904
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1404
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1492
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1684
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:656
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1268
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1060
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:848
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:2024
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:316
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1364
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:380
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1080
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1832
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1680
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1924
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:744
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:884
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        
        PID:1640
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2004
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1428
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1688
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1520
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1508
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1392
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1908
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:616
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:512
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:916
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1420
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:944
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:984
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:644
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1012
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:432
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:588
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1288
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1464
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1236
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1772
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:1736
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2092
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2188
    - - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        5⤵
        
        PID:2240
  - - C:\Windows\SysWOW64\diskperf.exe
      "C:\Windows\SysWOW64\diskperf.exe"
      4⤵
      PID:1912
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\SysWOW64\diskperf.exe"
  2⤵
  PID:480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/480-3-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/480-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/828-9-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/828-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/828-10-0x0000000003320000-0x0000000003331000-memory.dmp

Filesize
68KB

Download
memory/828-17-0x00000000002A0000-0x00000000002A4000-memory.dmp

Filesize
16KB

Download
memory/828-12-0x0000000002F10000-0x0000000002F21000-memory.dmp

Filesize
68KB

Download
memory/828-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/828-18-0x0000000002720000-0x0000000002724000-memory.dmp

Filesize
16KB

Download
memory/1548-79-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-215-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-463-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-166-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-167-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-318-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-70-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-470-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-471-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-279-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-278-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-455-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-454-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-478-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-479-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-319-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-71-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-127-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-286-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-486-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-487-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-175-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-174-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-287-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-126-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-494-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-495-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-271-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-270-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-326-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-63-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-502-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-503-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-447-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-446-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-119-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-62-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-510-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-511-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-183-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-182-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-159-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-731-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-518-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-263-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-519-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-262-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-730-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-158-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-526-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-527-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-439-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-190-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-191-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-327-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-534-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-535-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-255-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-254-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-438-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-55-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-542-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-543-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-118-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-334-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-720-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-54-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-550-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-551-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-198-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-199-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-431-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-719-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-558-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-559-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-247-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-246-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-430-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-78-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-566-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-567-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-335-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-206-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-207-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-294-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-574-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-575-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-239-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-238-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-111-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-47-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-582-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-583-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-295-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-110-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-46-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-423-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-590-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-591-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-214-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-231-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-342-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-422-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-598-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-599-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-462-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-230-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-134-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-151-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-606-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-607-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-150-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-223-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-415-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-222-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-614-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-615-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-414-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-343-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-704-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-39-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-622-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-623-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-407-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-406-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-38-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-302-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-630-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-631-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-303-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-399-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-398-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-37-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-638-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-639-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-703-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-143-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-142-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-36-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-646-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-647-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-391-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-103-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-390-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-86-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-654-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-655-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-102-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-383-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-382-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-350-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-662-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-663-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-87-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-310-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-311-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-670-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-671-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-375-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-374-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-695-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-135-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-678-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-679-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-367-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-366-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-94-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-359-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-686-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-687-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-358-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-95-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/1548-694-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/1548-351-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download