warzonerat | 58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
Size

2.9MB
MD5

6431f37946abfa89e940fa27fe6c3718
SHA1

2eba6e19326c672869e4e4b00f0086668e3bea12
SHA256

58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1
SHA512

6338e1894662d1414f849d5096b317e890abeedfd59a2bd20de4204dc23d1b1bbd4595abf175cdaae846bd502e0f49943a7285eb2ccf61465370b88b3a3cbbc7
SSDEEP

49152:7v97AXmw4gxeOw46fUbNecCCFbNecZKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKe:7v97K9xZw46G8q8Q

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Detects executables packed with ASPack 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3712-1-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3712-5-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3712-4-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3712-8-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3712-6-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3712-3-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3712-2-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3712-7-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3712-10-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3712-28-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3712-25-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2524-45-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2524-42-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2524-44-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2524-43-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2524-46-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2524-47-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2524-51-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2524-64-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2524-67-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2920-86-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2920-83-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2920-82-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2920-85-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2920-84-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2920-81-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3260-98-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3260-96-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3260-100-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3260-97-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3260-95-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3260-99-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1220-108-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1220-111-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1220-109-0x0000000000400000-0x0000000001400000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1220-110-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1220-107-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1220-112-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3736-124-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/5072-137-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/5024-150-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1708-162-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3684-175-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/464-187-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4192-200-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1568-212-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2936-226-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3664-239-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3624-251-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1696-266-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1192-280-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4556-294-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2124-304-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1832-319-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1580-331-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2580-343-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4592-353-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4932-364-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1828-376-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4076-386-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4860-398-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1052-409-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2140-419-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1220-479-0x0000000000400000-0x0000000000628000-memory.dmp	INDICATOR_EXE_Packed_ASPack

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 30 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1088	explorer.exe
2524	explorer.exe
4968	explorer.exe
3756	spoolsv.exe
2920	spoolsv.exe
388	spoolsv.exe
3260	spoolsv.exe
1584	spoolsv.exe
1220	spoolsv.exe
3508	spoolsv.exe
3736	spoolsv.exe
3332	spoolsv.exe
5072	spoolsv.exe
3472	spoolsv.exe
5024	spoolsv.exe
3972	spoolsv.exe
1708	spoolsv.exe
2232	spoolsv.exe
3684	spoolsv.exe
4500	spoolsv.exe
464	spoolsv.exe
4580	spoolsv.exe
4192	spoolsv.exe
1192	spoolsv.exe
1568	spoolsv.exe
2636	spoolsv.exe
2936	spoolsv.exe
232	spoolsv.exe
3664	spoolsv.exe
384	spoolsv.exe
3624	spoolsv.exe
1968	spoolsv.exe
1696	spoolsv.exe
1436	spoolsv.exe
1192	spoolsv.exe
2564	spoolsv.exe
4556	spoolsv.exe
2888	spoolsv.exe
2124	spoolsv.exe
4868	spoolsv.exe
1832	spoolsv.exe
1940	spoolsv.exe
1580	spoolsv.exe
5092	spoolsv.exe
2580	spoolsv.exe
1628	spoolsv.exe
4592	spoolsv.exe
628	spoolsv.exe
4932	spoolsv.exe
3620	spoolsv.exe
1828	spoolsv.exe
3996	spoolsv.exe
4076	spoolsv.exe
2796	spoolsv.exe
4860	spoolsv.exe
2136	spoolsv.exe
1052	spoolsv.exe
4584	spoolsv.exe
3800	spoolsv.exe
1400	spoolsv.exe
2216	spoolsv.exe
3092	spoolsv.exe
3536	spoolsv.exe
2272	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 34 IoCs

Processes:

58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2464 set thread context of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 3712 set thread context of 772	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 3712 set thread context of 876	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	diskperf.exe
PID 1088 set thread context of 2524	1088	explorer.exe	explorer.exe
PID 2524 set thread context of 4968	2524	explorer.exe	explorer.exe
PID 2524 set thread context of 960	2524	explorer.exe	diskperf.exe
PID 3756 set thread context of 2920	3756	spoolsv.exe	spoolsv.exe
PID 388 set thread context of 3260	388	spoolsv.exe	spoolsv.exe
PID 1584 set thread context of 1220	1584	spoolsv.exe	spoolsv.exe
PID 3508 set thread context of 3736	3508	spoolsv.exe	spoolsv.exe
PID 3332 set thread context of 5072	3332	spoolsv.exe	spoolsv.exe
PID 3472 set thread context of 5024	3472	spoolsv.exe	spoolsv.exe
PID 3972 set thread context of 1708	3972	spoolsv.exe	spoolsv.exe
PID 2232 set thread context of 3684	2232	spoolsv.exe	spoolsv.exe
PID 4500 set thread context of 464	4500	spoolsv.exe	spoolsv.exe
PID 4580 set thread context of 4192	4580	spoolsv.exe	spoolsv.exe
PID 1192 set thread context of 1568	1192	spoolsv.exe	spoolsv.exe
PID 2636 set thread context of 2936	2636	spoolsv.exe	spoolsv.exe
PID 232 set thread context of 3664	232	spoolsv.exe	spoolsv.exe
PID 384 set thread context of 3624	384	spoolsv.exe	spoolsv.exe
PID 1968 set thread context of 1696	1968	spoolsv.exe	spoolsv.exe
PID 1436 set thread context of 1192	1436	spoolsv.exe	spoolsv.exe
PID 2564 set thread context of 4556	2564	spoolsv.exe	spoolsv.exe
PID 2888 set thread context of 2124	2888	spoolsv.exe	spoolsv.exe
PID 4868 set thread context of 1832	4868	spoolsv.exe	spoolsv.exe
PID 1940 set thread context of 1580	1940	spoolsv.exe	spoolsv.exe
PID 5092 set thread context of 2580	5092	spoolsv.exe	spoolsv.exe
PID 1628 set thread context of 4592	1628	spoolsv.exe	spoolsv.exe
PID 628 set thread context of 4932	628	spoolsv.exe	spoolsv.exe
PID 3620 set thread context of 1828	3620	spoolsv.exe	spoolsv.exe
PID 3996 set thread context of 4076	3996	spoolsv.exe	spoolsv.exe
PID 2796 set thread context of 4860	2796	spoolsv.exe	spoolsv.exe
PID 2136 set thread context of 1052	2136	spoolsv.exe	spoolsv.exe
PID 4584 set thread context of 2140	4584	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 32 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3428 2796 WerFault.exe spoolsv.exe
4868 1968 WerFault.exe spoolsv.exe

pid	pid_target	process	target process
3428	2796	WerFault.exe	spoolsv.exe
4868	1968	WerFault.exe	spoolsv.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
772	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
772	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
1088	explorer.exe
1088	explorer.exe
3756	spoolsv.exe
3756	spoolsv.exe
4968	explorer.exe
4968	explorer.exe
4968	explorer.exe
4968	explorer.exe
388	spoolsv.exe
388	spoolsv.exe
4968	explorer.exe
4968	explorer.exe
1584	spoolsv.exe
1584	spoolsv.exe
4968	explorer.exe
4968	explorer.exe
3508	spoolsv.exe
3508	spoolsv.exe
4968	explorer.exe
4968	explorer.exe
3332	spoolsv.exe
3332	spoolsv.exe
4968	explorer.exe
4968	explorer.exe
3472	spoolsv.exe
3472	spoolsv.exe
4968	explorer.exe
4968	explorer.exe
3972	spoolsv.exe
3972	spoolsv.exe
4968	explorer.exe
4968	explorer.exe
2232	spoolsv.exe
2232	spoolsv.exe
4968	explorer.exe
4968	explorer.exe
4500	spoolsv.exe
4500	spoolsv.exe
4968	explorer.exe
4968	explorer.exe
4580	spoolsv.exe
4580	spoolsv.exe
4968	explorer.exe
4968	explorer.exe
1192	spoolsv.exe
1192	spoolsv.exe
4968	explorer.exe
4968	explorer.exe
2636	spoolsv.exe
2636	spoolsv.exe
4968	explorer.exe
4968	explorer.exe
232	spoolsv.exe
232	spoolsv.exe
4968	explorer.exe
4968	explorer.exe
384	spoolsv.exe
384	spoolsv.exe
4968	explorer.exe
4968	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

dwm.exe

description	pid	process
Token: SeCreateGlobalPrivilege	4368	dwm.exe
Token: SeChangeNotifyPrivilege	4368	dwm.exe
Token: 33	4368	dwm.exe
Token: SeIncBasePriorityPrivilege	4368	dwm.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
772	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
772	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
1088	explorer.exe
1088	explorer.exe
4968	explorer.exe
4968	explorer.exe
3756	spoolsv.exe
3756	spoolsv.exe
4968	explorer.exe
4968	explorer.exe
388	spoolsv.exe
388	spoolsv.exe
1584	spoolsv.exe
1584	spoolsv.exe
3508	spoolsv.exe
3508	spoolsv.exe
3332	spoolsv.exe
3332	spoolsv.exe
3472	spoolsv.exe
3472	spoolsv.exe
3972	spoolsv.exe
3972	spoolsv.exe
2232	spoolsv.exe
2232	spoolsv.exe
4500	spoolsv.exe
4500	spoolsv.exe
4580	spoolsv.exe
4580	spoolsv.exe
1192	spoolsv.exe
1192	spoolsv.exe
2636	spoolsv.exe
2636	spoolsv.exe
232	spoolsv.exe
232	spoolsv.exe
384	spoolsv.exe
384	spoolsv.exe
1968	spoolsv.exe
1968	spoolsv.exe
1436	spoolsv.exe
1436	spoolsv.exe
2564	spoolsv.exe
2564	spoolsv.exe
2888	spoolsv.exe
2888	spoolsv.exe
4868	spoolsv.exe
4868	spoolsv.exe
1940	spoolsv.exe
1940	spoolsv.exe
5092	spoolsv.exe
5092	spoolsv.exe
1628	spoolsv.exe
1628	spoolsv.exe
628	spoolsv.exe
628	spoolsv.exe
3620	spoolsv.exe
3620	spoolsv.exe
3996	spoolsv.exe
3996	spoolsv.exe
2796	spoolsv.exe
2796	spoolsv.exe
2136	spoolsv.exe
2136	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exeexplorer.exe

description	pid	process	target process
PID 2464 wrote to memory of 2372	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	cmd.exe
PID 2464 wrote to memory of 2372	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	cmd.exe
PID 2464 wrote to memory of 2372	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	cmd.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 2464 wrote to memory of 3712	2464	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 3712 wrote to memory of 772	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 3712 wrote to memory of 772	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 3712 wrote to memory of 772	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 3712 wrote to memory of 772	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 3712 wrote to memory of 772	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 3712 wrote to memory of 772	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 3712 wrote to memory of 772	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 3712 wrote to memory of 772	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
PID 3712 wrote to memory of 876	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	diskperf.exe
PID 3712 wrote to memory of 876	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	diskperf.exe
PID 3712 wrote to memory of 876	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	diskperf.exe
PID 3712 wrote to memory of 876	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	diskperf.exe
PID 3712 wrote to memory of 876	3712	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	diskperf.exe
PID 772 wrote to memory of 1088	772	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	explorer.exe
PID 772 wrote to memory of 1088	772	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	explorer.exe
PID 772 wrote to memory of 1088	772	58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe	explorer.exe
PID 1088 wrote to memory of 1556	1088	explorer.exe	cmd.exe
PID 1088 wrote to memory of 1556	1088	explorer.exe	cmd.exe
PID 1088 wrote to memory of 1556	1088	explorer.exe	cmd.exe
PID 1088 wrote to memory of 2524	1088	explorer.exe	explorer.exe
PID 1088 wrote to memory of 2524	1088	explorer.exe	explorer.exe
PID 1088 wrote to memory of 2524	1088	explorer.exe	explorer.exe
PID 1088 wrote to memory of 2524	1088	explorer.exe	explorer.exe
PID 1088 wrote to memory of 2524	1088	explorer.exe	explorer.exe
PID 1088 wrote to memory of 2524	1088	explorer.exe	explorer.exe
PID 1088 wrote to memory of 2524	1088	explorer.exe	explorer.exe
PID 1088 wrote to memory of 2524	1088	explorer.exe	explorer.exe
PID 1088 wrote to memory of 2524	1088	explorer.exe	explorer.exe
PID 1088 wrote to memory of 2524	1088	explorer.exe	explorer.exe
PID 1088 wrote to memory of 2524	1088	explorer.exe	explorer.exe
PID 1088 wrote to memory of 2524	1088	explorer.exe	explorer.exe
PID 1088 wrote to memory of 2524	1088	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
"C:\Users\Admin\AppData\Local\Temp\58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:2372

C:\Users\Admin\AppData\Local\Temp\58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
C:\Users\Admin\AppData\Local\Temp\58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3712

C:\Users\Admin\AppData\Local\Temp\58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
C:\Users\Admin\AppData\Local\Temp\58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:1556

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2524

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2872

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:4584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3656

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:4552

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:388

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3428

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:5092

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3616

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:5072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1592

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:5024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:4528

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:4548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3536

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3448

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:4324

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:4504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:3324

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1588

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4436

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2340

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1832

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1044

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3988

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1456

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4580

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 564
8⤵
- Program crash
PID:3428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2348

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2196

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4924

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1940

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:388

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 400
8⤵
- Program crash
PID:4868

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2932

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:960

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1336,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=4332 /prefetch:8
1⤵
PID:3984

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1968 -ip 1968
1⤵
PID:1704

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
Filesize
2.9MB

MD5
6431f37946abfa89e940fa27fe6c3718

SHA1
2eba6e19326c672869e4e4b00f0086668e3bea12

SHA256
58502a3a0c1f7926c1b5cc45699515a2c99157cf3ddaf45e5468a946695b3ff1

SHA512
6338e1894662d1414f849d5096b317e890abeedfd59a2bd20de4204dc23d1b1bbd4595abf175cdaae846bd502e0f49943a7285eb2ccf61465370b88b3a3cbbc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe
Filesize
2.9MB

MD5
4803de5acc69fd0b59dfc5152b6cb2fa

SHA1
b706033fd42ddb8fe9b4646e16e694a54be5e472

SHA256
6665eaf3560a19773fd9205c052aa500dd7b7625fa4fe9bc7b8fc785139fde25

SHA512
9aa16962a3cdaeefefd301a275465c187dc299ec7bd144e5eea20c0d4a03a6259636209ce736a111004b85b498172cce0dc47192cd56fe92f831ff49825172cc

Download Submit
\??\c:\windows\system\spoolsv.exe
Filesize
2.9MB

MD5
08b8512b8eb6730693a9fff2d92ff0ca

SHA1
648f7b11db1044db9293e04634b6b5b16fca1f9a

SHA256
ada7957a5c54412140611a0013989f66761731ce7f41bc00daf0b67cb3c6ca86

SHA512
21beae11165186f5b14e4ea615e1be33f2dd74c89458104de0cdc0d161e5b8cc97a9f03603ab550f195eca2385d5d198b26b28a88966f6e7947a9ba74e24cb72

Download Submit
memory/464-187-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/464-606-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/772-50-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/772-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/772-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/876-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/876-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/876-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1052-409-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1192-280-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1220-107-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1220-110-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1220-108-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-111-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-112-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1220-109-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1220-479-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1568-212-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1580-331-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1588-603-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1696-266-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1708-560-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1708-162-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1828-376-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1832-319-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2124-304-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2140-419-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2524-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2524-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2524-42-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2524-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2524-47-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2524-51-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2524-64-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2524-67-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2524-45-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2580-343-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2872-490-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-83-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2920-506-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2920-86-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2920-81-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2920-84-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2920-85-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2920-82-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2936-226-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3260-100-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3260-98-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3260-96-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3260-97-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3260-533-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3260-99-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3260-95-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3428-543-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3536-557-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3624-251-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3656-536-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3664-239-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3684-582-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3684-175-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3712-28-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3712-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3712-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3712-13-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/3712-9-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/3712-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3712-2-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3712-1-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3712-10-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3712-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3712-6-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3712-8-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3712-25-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3736-124-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3736-503-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4076-386-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4192-200-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4324-578-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4380-593-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4528-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4552-476-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4552-553-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-294-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4592-353-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4668-572-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/4860-398-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4932-364-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5024-518-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5024-150-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5072-137-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5092-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download