warzonerat | d0dfaedb149cd17b20ecfa2f37d7bebddc7785c258e57361fcdbbe7a818a1468

Analysis

max time kernel
147s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
Size

2.9MB
MD5

e25c8d35031b2ca6d5a0ba00e5e705d0
SHA1

ef8f9b45ed4715a1e4dbcf382b7c72957b1214c0
SHA256

d0dfaedb149cd17b20ecfa2f37d7bebddc7785c258e57361fcdbbe7a818a1468
SHA512

e7d7a392827b6c42d428a918c4c4f3a74cc832d168b00e5140628f51b3aa247e10dbfbcd1fa5f4a52ea24903faf1c8bdf5a68f1c6247682f27fc43dae9347dc5
SSDEEP

24576:eTy7ASmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH8:eTy7ASmw4gxeOw46fUbNecCCFbNecj

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 21 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1608	explorer.exe
1936	explorer.exe
1952	explorer.exe
1956	spoolsv.exe
604	spoolsv.exe
2036	spoolsv.exe
2780	spoolsv.exe
1808	spoolsv.exe
1624	spoolsv.exe
2748	spoolsv.exe
2436	spoolsv.exe
1512	spoolsv.exe
2716	spoolsv.exe
2100	spoolsv.exe
688	spoolsv.exe
1292	spoolsv.exe
2264	spoolsv.exe
2012	spoolsv.exe
2228	spoolsv.exe
2632	spoolsv.exe
2660	spoolsv.exe
2544	spoolsv.exe
1880	spoolsv.exe
1528	spoolsv.exe
1668	spoolsv.exe
1752	spoolsv.exe
2192	spoolsv.exe
780	spoolsv.exe
1940	spoolsv.exe
1956	spoolsv.exe
1084	spoolsv.exe
2888	spoolsv.exe
2580	spoolsv.exe
2696	spoolsv.exe
2656	spoolsv.exe
2108	spoolsv.exe
1620	spoolsv.exe
2044	spoolsv.exe
2056	spoolsv.exe
2420	spoolsv.exe
1012	spoolsv.exe
1060	spoolsv.exe
340	spoolsv.exe
2508	spoolsv.exe
1104	spoolsv.exe
2356	spoolsv.exe
1808	spoolsv.exe
1552	spoolsv.exe
2492	spoolsv.exe
1244	spoolsv.exe
2708	spoolsv.exe
1436	spoolsv.exe
1020	spoolsv.exe
828	spoolsv.exe
936	spoolsv.exe
1424	spoolsv.exe
1992	spoolsv.exe
2892	spoolsv.exe
2832	spoolsv.exe
320	spoolsv.exe
2696	spoolsv.exe
2108	spoolsv.exe
2304	spoolsv.exe
1448	spoolsv.exe

Loads dropped DLL 64 IoCs

Processes:

e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2764	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
2764	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
1952	explorer.exe
1952	explorer.exe
1956	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
2036	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
1808	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
2748	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
1512	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
2100	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
1292	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
2012	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
2632	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
2544	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
1528	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
1752	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
780	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
1956	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
2888	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
2696	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
2108	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
2044	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
2420	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
1060	spoolsv.exe
1952	explorer.exe
1952	explorer.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exee25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exee25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2340 set thread context of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2320 set thread context of 2764	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2320 set thread context of 1948	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	diskperf.exe
PID 1608 set thread context of 1936	1608	explorer.exe	explorer.exe
PID 1936 set thread context of 1952	1936	explorer.exe	explorer.exe
PID 1936 set thread context of 1476	1936	explorer.exe	diskperf.exe
PID 1956 set thread context of 604	1956	spoolsv.exe	spoolsv.exe
PID 2036 set thread context of 2780	2036	spoolsv.exe	spoolsv.exe
PID 1808 set thread context of 1624	1808	spoolsv.exe	spoolsv.exe
PID 2748 set thread context of 2436	2748	spoolsv.exe	spoolsv.exe
PID 1512 set thread context of 2716	1512	spoolsv.exe	spoolsv.exe
PID 2100 set thread context of 688	2100	spoolsv.exe	spoolsv.exe
PID 1292 set thread context of 2264	1292	spoolsv.exe	spoolsv.exe
PID 2012 set thread context of 2228	2012	spoolsv.exe	spoolsv.exe
PID 2632 set thread context of 2660	2632	spoolsv.exe	spoolsv.exe
PID 2544 set thread context of 1880	2544	spoolsv.exe	spoolsv.exe
PID 1528 set thread context of 1668	1528	spoolsv.exe	spoolsv.exe
PID 1752 set thread context of 2192	1752	spoolsv.exe	spoolsv.exe
PID 780 set thread context of 1940	780	spoolsv.exe	spoolsv.exe
PID 1956 set thread context of 1084	1956	spoolsv.exe	spoolsv.exe
PID 2888 set thread context of 2580	2888	spoolsv.exe	spoolsv.exe
PID 2696 set thread context of 2656	2696	spoolsv.exe	spoolsv.exe
PID 2108 set thread context of 1620	2108	spoolsv.exe	spoolsv.exe
PID 2044 set thread context of 2056	2044	spoolsv.exe	spoolsv.exe
PID 2420 set thread context of 1012	2420	spoolsv.exe	spoolsv.exe
PID 1060 set thread context of 340	1060	spoolsv.exe	spoolsv.exe
PID 2508 set thread context of 1104	2508	spoolsv.exe	spoolsv.exe
PID 2356 set thread context of 1808	2356	spoolsv.exe	spoolsv.exe
PID 1552 set thread context of 2492	1552	spoolsv.exe	spoolsv.exe
PID 1244 set thread context of 2708	1244	spoolsv.exe	spoolsv.exe
PID 1436 set thread context of 1020	1436	spoolsv.exe	spoolsv.exe
PID 828 set thread context of 936	828	spoolsv.exe	spoolsv.exe
PID 1424 set thread context of 1992	1424	spoolsv.exe	spoolsv.exe
PID 2892 set thread context of 2832	2892	spoolsv.exe	spoolsv.exe
PID 320 set thread context of 2696	320	spoolsv.exe	spoolsv.exe
PID 2108 set thread context of 2304	2108	spoolsv.exe	spoolsv.exe
PID 1448 set thread context of 1076	1448	spoolsv.exe	spoolsv.exe
PID 1240 set thread context of 1724	1240	spoolsv.exe	spoolsv.exe
PID 2276 set thread context of 1112	2276	spoolsv.exe	spoolsv.exe
PID 604 set thread context of 2932	604	spoolsv.exe	spoolsv.exe
PID 604 set thread context of 2784	604	spoolsv.exe	diskperf.exe
PID 1200 set thread context of 1840	1200	spoolsv.exe	spoolsv.exe
PID 2432 set thread context of 2712	2432	explorer.exe	explorer.exe
PID 2668 set thread context of 2544	2668	spoolsv.exe	spoolsv.exe
PID 2780 set thread context of 1432	2780	spoolsv.exe	spoolsv.exe
PID 2780 set thread context of 1836	2780	spoolsv.exe	diskperf.exe
PID 1624 set thread context of 1180	1624	spoolsv.exe	spoolsv.exe
PID 1624 set thread context of 496	1624	spoolsv.exe	diskperf.exe
PID 2436 set thread context of 2380	2436	spoolsv.exe	spoolsv.exe
PID 2436 set thread context of 1764	2436	spoolsv.exe	diskperf.exe
PID 1296 set thread context of 1116	1296	spoolsv.exe	spoolsv.exe
PID 2716 set thread context of 1820	2716	spoolsv.exe	spoolsv.exe
PID 2716 set thread context of 2944	2716	spoolsv.exe	diskperf.exe
PID 808 set thread context of 2524	808	explorer.exe	explorer.exe
PID 2984 set thread context of 2000	2984	spoolsv.exe	spoolsv.exe
PID 688 set thread context of 1628	688	spoolsv.exe	spoolsv.exe
PID 688 set thread context of 2120	688	spoolsv.exe	diskperf.exe
PID 2264 set thread context of 1604	2264	spoolsv.exe	spoolsv.exe
PID 2264 set thread context of 544	2264	spoolsv.exe	diskperf.exe
PID 620 set thread context of 1784	620	spoolsv.exe	spoolsv.exe
PID 2344 set thread context of 1420	2344	explorer.exe	explorer.exe
PID 1816 set thread context of 2788	1816	spoolsv.exe	spoolsv.exe
PID 2228 set thread context of 1672	2228	spoolsv.exe	spoolsv.exe
PID 2228 set thread context of 2536	2228	spoolsv.exe	diskperf.exe

Drops file in Windows directory 50 IoCs

Processes:

spoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exee25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exee25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
2764	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
1608	explorer.exe
1956	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
2036	spoolsv.exe
1952	explorer.exe
1808	spoolsv.exe
1952	explorer.exe
2748	spoolsv.exe
1952	explorer.exe
1512	spoolsv.exe
1952	explorer.exe
2100	spoolsv.exe
1952	explorer.exe
1292	spoolsv.exe
1952	explorer.exe
2012	spoolsv.exe
1952	explorer.exe
2632	spoolsv.exe
1952	explorer.exe
2544	spoolsv.exe
1952	explorer.exe
1528	spoolsv.exe
1952	explorer.exe
1752	spoolsv.exe
1952	explorer.exe
780	spoolsv.exe
1952	explorer.exe
1956	spoolsv.exe
1952	explorer.exe
2888	spoolsv.exe
1952	explorer.exe
2696	spoolsv.exe
1952	explorer.exe
2108	spoolsv.exe
1952	explorer.exe
2044	spoolsv.exe
1952	explorer.exe
2420	spoolsv.exe
1952	explorer.exe
1060	spoolsv.exe
1952	explorer.exe
2508	spoolsv.exe
1952	explorer.exe
2356	spoolsv.exe
1952	explorer.exe
1552	spoolsv.exe
1952	explorer.exe
1244	spoolsv.exe
1952	explorer.exe
1436	spoolsv.exe
1952	explorer.exe
828	spoolsv.exe
1952	explorer.exe
1424	spoolsv.exe
1952	explorer.exe
2892	spoolsv.exe
1952	explorer.exe
320	spoolsv.exe
1952	explorer.exe
2108	spoolsv.exe
1952	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
2764	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
2764	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
1608	explorer.exe
1608	explorer.exe
1952	explorer.exe
1952	explorer.exe
1956	spoolsv.exe
1956	spoolsv.exe
1952	explorer.exe
1952	explorer.exe
2036	spoolsv.exe
2036	spoolsv.exe
1808	spoolsv.exe
1808	spoolsv.exe
2748	spoolsv.exe
2748	spoolsv.exe
1512	spoolsv.exe
1512	spoolsv.exe
2100	spoolsv.exe
2100	spoolsv.exe
1292	spoolsv.exe
1292	spoolsv.exe
2012	spoolsv.exe
2012	spoolsv.exe
2632	spoolsv.exe
2632	spoolsv.exe
2544	spoolsv.exe
2544	spoolsv.exe
1528	spoolsv.exe
1528	spoolsv.exe
1752	spoolsv.exe
1752	spoolsv.exe
780	spoolsv.exe
780	spoolsv.exe
1956	spoolsv.exe
1956	spoolsv.exe
2888	spoolsv.exe
2888	spoolsv.exe
2696	spoolsv.exe
2696	spoolsv.exe
2108	spoolsv.exe
2108	spoolsv.exe
2044	spoolsv.exe
2044	spoolsv.exe
2420	spoolsv.exe
2420	spoolsv.exe
1060	spoolsv.exe
1060	spoolsv.exe
2508	spoolsv.exe
2508	spoolsv.exe
2356	spoolsv.exe
2356	spoolsv.exe
1552	spoolsv.exe
1552	spoolsv.exe
1244	spoolsv.exe
1244	spoolsv.exe
1436	spoolsv.exe
1436	spoolsv.exe
828	spoolsv.exe
828	spoolsv.exe
1424	spoolsv.exe
1424	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exee25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exee25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exeexplorer.exe

description	pid	process	target process
PID 2340 wrote to memory of 1664	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	cmd.exe
PID 2340 wrote to memory of 1664	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	cmd.exe
PID 2340 wrote to memory of 1664	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	cmd.exe
PID 2340 wrote to memory of 1664	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	cmd.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2340 wrote to memory of 2320	2340	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2320 wrote to memory of 2764	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2320 wrote to memory of 2764	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2320 wrote to memory of 2764	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2320 wrote to memory of 2764	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2320 wrote to memory of 2764	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2320 wrote to memory of 2764	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2320 wrote to memory of 2764	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2320 wrote to memory of 2764	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2320 wrote to memory of 2764	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
PID 2320 wrote to memory of 1948	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	diskperf.exe
PID 2320 wrote to memory of 1948	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	diskperf.exe
PID 2320 wrote to memory of 1948	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	diskperf.exe
PID 2320 wrote to memory of 1948	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	diskperf.exe
PID 2320 wrote to memory of 1948	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	diskperf.exe
PID 2320 wrote to memory of 1948	2320	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	diskperf.exe
PID 2764 wrote to memory of 1608	2764	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	explorer.exe
PID 2764 wrote to memory of 1608	2764	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	explorer.exe
PID 2764 wrote to memory of 1608	2764	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	explorer.exe
PID 2764 wrote to memory of 1608	2764	e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe	explorer.exe
PID 1608 wrote to memory of 2484	1608	explorer.exe	cmd.exe
PID 1608 wrote to memory of 2484	1608	explorer.exe	cmd.exe
PID 1608 wrote to memory of 2484	1608	explorer.exe	cmd.exe
PID 1608 wrote to memory of 2484	1608	explorer.exe	cmd.exe
PID 1608 wrote to memory of 1936	1608	explorer.exe	explorer.exe
PID 1608 wrote to memory of 1936	1608	explorer.exe	explorer.exe
PID 1608 wrote to memory of 1936	1608	explorer.exe	explorer.exe
PID 1608 wrote to memory of 1936	1608	explorer.exe	explorer.exe
PID 1608 wrote to memory of 1936	1608	explorer.exe	explorer.exe
PID 1608 wrote to memory of 1936	1608	explorer.exe	explorer.exe
PID 1608 wrote to memory of 1936	1608	explorer.exe	explorer.exe
PID 1608 wrote to memory of 1936	1608	explorer.exe	explorer.exe
PID 1608 wrote to memory of 1936	1608	explorer.exe	explorer.exe
PID 1608 wrote to memory of 1936	1608	explorer.exe	explorer.exe
PID 1608 wrote to memory of 1936	1608	explorer.exe	explorer.exe
PID 1608 wrote to memory of 1936	1608	explorer.exe	explorer.exe
PID 1608 wrote to memory of 1936	1608	explorer.exe	explorer.exe
PID 1608 wrote to memory of 1936	1608	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:1664

C:\Users\Admin\AppData\Local\Temp\e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\e25c8d35031b2ca6d5a0ba00e5e705d0_NeikiAnalytics.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:2484

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1936

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2932

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:2748

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2712

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1432

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:972

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2524

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1180

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2380

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1820

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1628

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:1696

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1420

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2120

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1604

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1672

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Drops file in Windows directory
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:940

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1632

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1844

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:692

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:760

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2972

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2560

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2768

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2796

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1012

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2492

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2004

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1992

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1016

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:748

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1132

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1208

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1608

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:1680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2484

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1476

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
e25c8d35031b2ca6d5a0ba00e5e705d0

SHA1
ef8f9b45ed4715a1e4dbcf382b7c72957b1214c0

SHA256
d0dfaedb149cd17b20ecfa2f37d7bebddc7785c258e57361fcdbbe7a818a1468

SHA512
e7d7a392827b6c42d428a918c4c4f3a74cc832d168b00e5140628f51b3aa247e10dbfbcd1fa5f4a52ea24903faf1c8bdf5a68f1c6247682f27fc43dae9347dc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.9MB

MD5
99ac06e94a85a767e8875bbad2c1db8e

SHA1
0e98f79cc651f901ac262bcebb7a40d5e781a518

SHA256
fd8a87f6e594a8b093ed777fb59091ba632ffa5d905c9d6fb69ca344ed9833f0

SHA512
215a02244658cd32dff2c455817f4ee3ec95b484eb5e0ba517d6e7889b17ce5db8c3b547c18c2494f7620c61f1fb55e3ce1700b71bb77671fe32a7e8a54ef625

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.9MB

MD5
8a4d85680b763aad92e4c3ccdacb0328

SHA1
e28cc74d305389c75479957754d3d0cd63a70565

SHA256
b101afe228d7386d46379b7ccc3037f4d2fcf6a908c09bf8d755a4cf36cd5afd

SHA512
d1842e566840bb32d3b2217db8aeb9155ffdb729f1b77657f5a37e729b477e756578f76a84891aeabb73798c37883a3291b002fdcd3be7fa0a2a74b5c4a8184c

Download Submit
memory/340-1171-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/604-1801-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/604-242-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/688-2215-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/688-494-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/936-1459-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1012-1125-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1020-1410-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1084-884-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1104-1219-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1620-1028-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1624-344-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1624-1977-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1668-744-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1668-2672-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1808-1268-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1880-700-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1880-2602-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1936-174-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1936-146-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1940-837-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1948-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1948-84-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1948-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1948-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2056-1075-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2192-791-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2228-2397-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2228-594-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2264-2277-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2264-546-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2320-19-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-82-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2320-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-17-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-22-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-31-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-35-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-37-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-39-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2320-50-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2320-41-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-40-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2320-51-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2320-52-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2320-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2320-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2320-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-47-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2320-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2320-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-21-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2320-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2436-388-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2436-2034-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2492-1314-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2656-979-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2660-644-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2660-2423-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2708-1361-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2716-441-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2716-2130-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2764-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2780-1953-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2780-292-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download