warzonerat | 7736dee71f6b746976410e7d95f12bfa36032f9f16f7b5f5476c9488470e06d0

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06-05-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

076ef9b8febf33deb3cae4018a580460_NEAS.exe
Size

2.9MB
MD5

076ef9b8febf33deb3cae4018a580460
SHA1

2b404428fde62e0f600da698cd3f47a62d4afb24
SHA256

7736dee71f6b746976410e7d95f12bfa36032f9f16f7b5f5476c9488470e06d0
SHA512

2b84a110f3bd50f73cc08ccb7b6487b3a870a7f105e38483c3c512d798579b4d8e3d9717eed7a2192497f680714efd6b6d4f41002f47ef576551c3b811435eb5
SSDEEP

24576:eTy7ASmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHz:eTy7ASmw4gxeOw46fUbNecCCFbNecc

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 35 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1584	explorer.exe
2344	explorer.exe
2992	explorer.exe
2132	spoolsv.exe
1340	spoolsv.exe
2264	spoolsv.exe
3064	spoolsv.exe
1296	spoolsv.exe
2092	spoolsv.exe
1008	spoolsv.exe
1804	spoolsv.exe
1820	spoolsv.exe
2524	spoolsv.exe
864	spoolsv.exe
2284	spoolsv.exe
1900	spoolsv.exe
1120	spoolsv.exe
3028	spoolsv.exe
2252	spoolsv.exe
2656	spoolsv.exe
2612	spoolsv.exe
2176	spoolsv.exe
2500	spoolsv.exe
1428	spoolsv.exe
1944	spoolsv.exe
2444	spoolsv.exe
1680	spoolsv.exe
2032	spoolsv.exe
108	spoolsv.exe
2324	spoolsv.exe
2200	spoolsv.exe
2408	spoolsv.exe
2192	spoolsv.exe
2736	spoolsv.exe
3004	spoolsv.exe
2948	spoolsv.exe
2468	spoolsv.exe
1396	spoolsv.exe
1548	spoolsv.exe
1260	spoolsv.exe
576	spoolsv.exe
2808	spoolsv.exe
1488	spoolsv.exe
1324	spoolsv.exe
2016	spoolsv.exe
896	spoolsv.exe
2104	spoolsv.exe
2476	spoolsv.exe
2796	spoolsv.exe
2940	spoolsv.exe
868	spoolsv.exe
1440	spoolsv.exe
988	spoolsv.exe
2884	spoolsv.exe
616	spoolsv.exe
2868	spoolsv.exe
1604	spoolsv.exe
1256	spoolsv.exe
2836	spoolsv.exe
2736	spoolsv.exe
2504	spoolsv.exe
2904	spoolsv.exe
2748	spoolsv.exe
1396	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

076ef9b8febf33deb3cae4018a580460_NEAS.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2928	076ef9b8febf33deb3cae4018a580460_NEAS.exe
2928	076ef9b8febf33deb3cae4018a580460_NEAS.exe
2992	explorer.exe
2992	explorer.exe
2132	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
2264	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
1296	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
1008	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
1820	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
864	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
1900	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
3028	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
2656	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
2176	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
1428	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
2444	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
2032	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
2324	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
2408	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
2736	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
2948	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
1396	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
1260	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
2808	spoolsv.exe
2992	explorer.exe
2992	explorer.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exe076ef9b8febf33deb3cae4018a580460_NEAS.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	076ef9b8febf33deb3cae4018a580460_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

076ef9b8febf33deb3cae4018a580460_NEAS.exe076ef9b8febf33deb3cae4018a580460_NEAS.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2360 set thread context of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 1996 set thread context of 2928	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 1996 set thread context of 2780	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	diskperf.exe
PID 1584 set thread context of 2344	1584	explorer.exe	explorer.exe
PID 2344 set thread context of 2992	2344	explorer.exe	explorer.exe
PID 2344 set thread context of 352	2344	explorer.exe	diskperf.exe
PID 2132 set thread context of 1340	2132	spoolsv.exe	spoolsv.exe
PID 2264 set thread context of 3064	2264	spoolsv.exe	spoolsv.exe
PID 1296 set thread context of 2092	1296	spoolsv.exe	spoolsv.exe
PID 1008 set thread context of 1804	1008	spoolsv.exe	spoolsv.exe
PID 1820 set thread context of 2524	1820	spoolsv.exe	spoolsv.exe
PID 864 set thread context of 2284	864	spoolsv.exe	spoolsv.exe
PID 1900 set thread context of 1120	1900	spoolsv.exe	spoolsv.exe
PID 3028 set thread context of 2252	3028	spoolsv.exe	spoolsv.exe
PID 2656 set thread context of 2612	2656	spoolsv.exe	spoolsv.exe
PID 2176 set thread context of 2500	2176	spoolsv.exe	spoolsv.exe
PID 1428 set thread context of 1944	1428	spoolsv.exe	spoolsv.exe
PID 2444 set thread context of 1680	2444	spoolsv.exe	spoolsv.exe
PID 2032 set thread context of 108	2032	spoolsv.exe	spoolsv.exe
PID 2324 set thread context of 2200	2324	spoolsv.exe	spoolsv.exe
PID 2408 set thread context of 2192	2408	spoolsv.exe	spoolsv.exe
PID 2736 set thread context of 3004	2736	spoolsv.exe	spoolsv.exe
PID 2948 set thread context of 2468	2948	spoolsv.exe	spoolsv.exe
PID 1396 set thread context of 1548	1396	spoolsv.exe	spoolsv.exe
PID 1260 set thread context of 576	1260	spoolsv.exe	spoolsv.exe
PID 2808 set thread context of 1488	2808	spoolsv.exe	spoolsv.exe
PID 1324 set thread context of 2016	1324	spoolsv.exe	spoolsv.exe
PID 896 set thread context of 2104	896	spoolsv.exe	spoolsv.exe
PID 2476 set thread context of 2796	2476	spoolsv.exe	spoolsv.exe
PID 2940 set thread context of 868	2940	spoolsv.exe	spoolsv.exe
PID 1440 set thread context of 988	1440	spoolsv.exe	spoolsv.exe
PID 2884 set thread context of 616	2884	spoolsv.exe	spoolsv.exe
PID 2868 set thread context of 1604	2868	spoolsv.exe	spoolsv.exe
PID 1256 set thread context of 2836	1256	spoolsv.exe	spoolsv.exe
PID 2736 set thread context of 2504	2736	spoolsv.exe	spoolsv.exe
PID 2904 set thread context of 2748	2904	spoolsv.exe	spoolsv.exe
PID 1396 set thread context of 2152	1396	spoolsv.exe	spoolsv.exe
PID 708 set thread context of 2552	708	spoolsv.exe	spoolsv.exe
PID 1356 set thread context of 2228	1356	spoolsv.exe	spoolsv.exe
PID 1716 set thread context of 1288	1716	spoolsv.exe	spoolsv.exe
PID 2400 set thread context of 2484	2400	spoolsv.exe	spoolsv.exe
PID 1340 set thread context of 2788	1340	spoolsv.exe	spoolsv.exe
PID 1580 set thread context of 1428	1580	spoolsv.exe	spoolsv.exe
PID 1340 set thread context of 1968	1340	spoolsv.exe	diskperf.exe
PID 3064 set thread context of 1348	3064	spoolsv.exe	spoolsv.exe
PID 3064 set thread context of 1512	3064	spoolsv.exe	diskperf.exe
PID 1828 set thread context of 2884	1828	spoolsv.exe	spoolsv.exe
PID 2092 set thread context of 1592	2092	spoolsv.exe	spoolsv.exe
PID 2236 set thread context of 1764	2236	explorer.exe	explorer.exe
PID 2092 set thread context of 572	2092	spoolsv.exe	diskperf.exe
PID 1804 set thread context of 1652	1804	spoolsv.exe	spoolsv.exe
PID 1804 set thread context of 332	1804	spoolsv.exe	diskperf.exe
PID 1332 set thread context of 904	1332	spoolsv.exe	spoolsv.exe
PID 2524 set thread context of 2940	2524	spoolsv.exe	spoolsv.exe
PID 2524 set thread context of 2272	2524	spoolsv.exe	diskperf.exe
PID 968 set thread context of 2032	968	spoolsv.exe	spoolsv.exe
PID 2284 set thread context of 1788	2284	spoolsv.exe	spoolsv.exe
PID 2284 set thread context of 356	2284	spoolsv.exe	diskperf.exe
PID 1120 set thread context of 936	1120	spoolsv.exe	spoolsv.exe
PID 2256 set thread context of 1508	2256	spoolsv.exe	spoolsv.exe
PID 1120 set thread context of 2348	1120	spoolsv.exe	diskperf.exe
PID 1524 set thread context of 1152	1524	explorer.exe	explorer.exe
PID 2528 set thread context of 2784	2528	spoolsv.exe	spoolsv.exe
PID 2612 set thread context of 2308	2612	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 52 IoCs

Processes:

spoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe076ef9b8febf33deb3cae4018a580460_NEAS.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2640 2748 WerFault.exe spoolsv.exe

pid	pid_target	process	target process
2640	2748	WerFault.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

076ef9b8febf33deb3cae4018a580460_NEAS.exe076ef9b8febf33deb3cae4018a580460_NEAS.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe
2928	076ef9b8febf33deb3cae4018a580460_NEAS.exe
1584	explorer.exe
2132	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
2264	spoolsv.exe
2992	explorer.exe
1296	spoolsv.exe
2992	explorer.exe
1008	spoolsv.exe
2992	explorer.exe
1820	spoolsv.exe
2992	explorer.exe
864	spoolsv.exe
2992	explorer.exe
1900	spoolsv.exe
2992	explorer.exe
3028	spoolsv.exe
2992	explorer.exe
2656	spoolsv.exe
2992	explorer.exe
2176	spoolsv.exe
2992	explorer.exe
1428	spoolsv.exe
2992	explorer.exe
2444	spoolsv.exe
2992	explorer.exe
2032	spoolsv.exe
2992	explorer.exe
2324	spoolsv.exe
2992	explorer.exe
2408	spoolsv.exe
2992	explorer.exe
2736	spoolsv.exe
2992	explorer.exe
2948	spoolsv.exe
2992	explorer.exe
1396	spoolsv.exe
2992	explorer.exe
1260	spoolsv.exe
2992	explorer.exe
2808	spoolsv.exe
2992	explorer.exe
1324	spoolsv.exe
2992	explorer.exe
896	spoolsv.exe
2992	explorer.exe
2476	spoolsv.exe
2992	explorer.exe
2940	spoolsv.exe
2992	explorer.exe
1440	spoolsv.exe
2992	explorer.exe
2884	spoolsv.exe
2992	explorer.exe
2868	spoolsv.exe
2992	explorer.exe
1256	spoolsv.exe
2992	explorer.exe
2736	spoolsv.exe
2992	explorer.exe
2904	spoolsv.exe
2992	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe
2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe
2928	076ef9b8febf33deb3cae4018a580460_NEAS.exe
2928	076ef9b8febf33deb3cae4018a580460_NEAS.exe
1584	explorer.exe
1584	explorer.exe
2992	explorer.exe
2992	explorer.exe
2132	spoolsv.exe
2132	spoolsv.exe
2992	explorer.exe
2992	explorer.exe
2264	spoolsv.exe
2264	spoolsv.exe
1296	spoolsv.exe
1296	spoolsv.exe
1008	spoolsv.exe
1008	spoolsv.exe
1820	spoolsv.exe
1820	spoolsv.exe
864	spoolsv.exe
864	spoolsv.exe
1900	spoolsv.exe
1900	spoolsv.exe
3028	spoolsv.exe
3028	spoolsv.exe
2656	spoolsv.exe
2656	spoolsv.exe
2176	spoolsv.exe
2176	spoolsv.exe
1428	spoolsv.exe
1428	spoolsv.exe
2444	spoolsv.exe
2444	spoolsv.exe
2032	spoolsv.exe
2032	spoolsv.exe
2324	spoolsv.exe
2324	spoolsv.exe
2408	spoolsv.exe
2408	spoolsv.exe
2736	spoolsv.exe
2736	spoolsv.exe
2948	spoolsv.exe
2948	spoolsv.exe
1396	spoolsv.exe
1396	spoolsv.exe
1260	spoolsv.exe
1260	spoolsv.exe
2808	spoolsv.exe
2808	spoolsv.exe
1324	spoolsv.exe
1324	spoolsv.exe
896	spoolsv.exe
896	spoolsv.exe
2476	spoolsv.exe
2476	spoolsv.exe
2940	spoolsv.exe
2940	spoolsv.exe
1440	spoolsv.exe
1440	spoolsv.exe
2884	spoolsv.exe
2884	spoolsv.exe
2868	spoolsv.exe
2868	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

076ef9b8febf33deb3cae4018a580460_NEAS.exe076ef9b8febf33deb3cae4018a580460_NEAS.exe076ef9b8febf33deb3cae4018a580460_NEAS.exeexplorer.exe

description	pid	process	target process
PID 2360 wrote to memory of 2012	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	cmd.exe
PID 2360 wrote to memory of 2012	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	cmd.exe
PID 2360 wrote to memory of 2012	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	cmd.exe
PID 2360 wrote to memory of 2012	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	cmd.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 2360 wrote to memory of 1996	2360	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 1996 wrote to memory of 2928	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 1996 wrote to memory of 2928	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 1996 wrote to memory of 2928	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 1996 wrote to memory of 2928	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 1996 wrote to memory of 2928	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 1996 wrote to memory of 2928	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 1996 wrote to memory of 2928	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 1996 wrote to memory of 2928	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 1996 wrote to memory of 2928	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	076ef9b8febf33deb3cae4018a580460_NEAS.exe
PID 1996 wrote to memory of 2780	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	diskperf.exe
PID 1996 wrote to memory of 2780	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	diskperf.exe
PID 1996 wrote to memory of 2780	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	diskperf.exe
PID 1996 wrote to memory of 2780	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	diskperf.exe
PID 1996 wrote to memory of 2780	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	diskperf.exe
PID 1996 wrote to memory of 2780	1996	076ef9b8febf33deb3cae4018a580460_NEAS.exe	diskperf.exe
PID 2928 wrote to memory of 1584	2928	076ef9b8febf33deb3cae4018a580460_NEAS.exe	explorer.exe
PID 2928 wrote to memory of 1584	2928	076ef9b8febf33deb3cae4018a580460_NEAS.exe	explorer.exe
PID 2928 wrote to memory of 1584	2928	076ef9b8febf33deb3cae4018a580460_NEAS.exe	explorer.exe
PID 2928 wrote to memory of 1584	2928	076ef9b8febf33deb3cae4018a580460_NEAS.exe	explorer.exe
PID 1584 wrote to memory of 1948	1584	explorer.exe	cmd.exe
PID 1584 wrote to memory of 1948	1584	explorer.exe	cmd.exe
PID 1584 wrote to memory of 1948	1584	explorer.exe	cmd.exe
PID 1584 wrote to memory of 1948	1584	explorer.exe	cmd.exe
PID 1584 wrote to memory of 2344	1584	explorer.exe	explorer.exe
PID 1584 wrote to memory of 2344	1584	explorer.exe	explorer.exe
PID 1584 wrote to memory of 2344	1584	explorer.exe	explorer.exe
PID 1584 wrote to memory of 2344	1584	explorer.exe	explorer.exe
PID 1584 wrote to memory of 2344	1584	explorer.exe	explorer.exe
PID 1584 wrote to memory of 2344	1584	explorer.exe	explorer.exe
PID 1584 wrote to memory of 2344	1584	explorer.exe	explorer.exe
PID 1584 wrote to memory of 2344	1584	explorer.exe	explorer.exe
PID 1584 wrote to memory of 2344	1584	explorer.exe	explorer.exe
PID 1584 wrote to memory of 2344	1584	explorer.exe	explorer.exe
PID 1584 wrote to memory of 2344	1584	explorer.exe	explorer.exe
PID 1584 wrote to memory of 2344	1584	explorer.exe	explorer.exe
PID 1584 wrote to memory of 2344	1584	explorer.exe	explorer.exe
PID 1584 wrote to memory of 2344	1584	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\076ef9b8febf33deb3cae4018a580460_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\076ef9b8febf33deb3cae4018a580460_NEAS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\076ef9b8febf33deb3cae4018a580460_NEAS.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:2012

C:\Users\Admin\AppData\Local\Temp\076ef9b8febf33deb3cae4018a580460_NEAS.exe
C:\Users\Admin\AppData\Local\Temp\076ef9b8febf33deb3cae4018a580460_NEAS.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\076ef9b8febf33deb3cae4018a580460_NEAS.exe
C:\Users\Admin\AppData\Local\Temp\076ef9b8febf33deb3cae4018a580460_NEAS.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:1948

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2344

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2788

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1480

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1764

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3064

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1348

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1512

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1592

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1652

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:2668

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1152

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2940

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2284

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1788

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:936

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2172

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2792

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2612

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2308

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2620

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:840

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2180

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2416

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2380

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1028

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:1380

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2372

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2596

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:1052

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2076

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:972

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1488

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 36
9⤵
- Program crash
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1288

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2484

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2588

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2556

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:352

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
076ef9b8febf33deb3cae4018a580460

SHA1
2b404428fde62e0f600da698cd3f47a62d4afb24

SHA256
7736dee71f6b746976410e7d95f12bfa36032f9f16f7b5f5476c9488470e06d0

SHA512
2b84a110f3bd50f73cc08ccb7b6487b3a870a7f105e38483c3c512d798579b4d8e3d9717eed7a2192497f680714efd6b6d4f41002f47ef576551c3b811435eb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
2.9MB

MD5
ef703c3c799a738a7a0a36273367b916

SHA1
4d0e0b5e661a3bb257d4a51bcefc9305de2795fa

SHA256
ac5538c694bcdbaa5c9c22fac2134d8f7423e092b2f3786813720eb20c56f972

SHA512
57fdc16f6a5f8ad4e65f704aaca69f9cc0f8adb572e3688d2a93ca1e86b9bb7cde85c90449726a70eea6a786bb7247e3cf3cb85a12e3fd134f637221956e8ea3

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.9MB

MD5
d2be8234732f0857a6faa2f36a700a5d

SHA1
8b91153a9e2282b8c99eb4bdebede097ffbd545e

SHA256
5cc214ecdc338605794efef04bd16a009a94a4b339292041242b946371470437

SHA512
c768c08a648824c3ec321dd7f933bc535f38d18c8ac76dc862693a93d429fd8c8b042e20b2420a354e6e240e348dc8b441eeeb3a7343ee51a4bd9359e6f9c3f0

Download Submit
memory/108-833-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/576-1116-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/616-1452-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/868-1355-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/988-1404-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1120-542-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1120-2371-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1340-1957-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1340-240-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1488-1163-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1548-1067-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1604-1502-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1680-787-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1680-2669-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1804-390-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1804-2136-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1944-740-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1944-2648-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1996-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1996-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1996-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-44-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1996-27-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-81-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1996-40-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1996-22-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-47-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/1996-48-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1996-16-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-35-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-37-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-46-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1996-39-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1996-41-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1996-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1996-42-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2016-1212-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2092-2097-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2092-340-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2104-1259-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2192-924-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2200-878-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2200-2802-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2252-592-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2252-2485-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2284-492-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2284-2281-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2344-172-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2344-144-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2468-1020-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2500-694-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2500-2513-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2504-1598-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2524-441-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2524-2210-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2612-643-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2612-2486-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2748-1642-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2780-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2780-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-85-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2796-1307-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2836-1550-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2928-61-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2928-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3004-971-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3064-1985-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3064-290-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download