warzonerat | 3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
Size

6.1MB
MD5

10ccfb48b3fdac746af0a198cd947288
SHA1

71200c1c2a052da712f1b086578f68cf5a4388af
SHA256

3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d
SHA512

e6b8830e70c8c11d69a33277a96cb8a0bf4bf485641440ffd754ff176b07eb112905d39b564a0438adb7b3c45eb04b8a1b9275a7549c97f33f351ab95d65fead
SSDEEP

49152:ATU7AAmw4gxeOw46fUbNecCCFbNecjTU7AAmw4gxeOw46fUbNecCCFbNecu:ATU7d9xZw46G8q8yTU7d9xZw46G8q8N

Score

10^/10

warzonerat discovery evasion infostealer persistence rat upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x00080000000233bb-35.dat	warzonerat
behavioral2/files/0x00080000000233b7-62.dat	warzonerat
behavioral2/files/0x00080000000233c1-77.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 29 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
4632	explorer.exe
4972	explorer.exe
2756	explorer.exe
888	spoolsv.exe
3260	spoolsv.exe
2392	spoolsv.exe
4504	spoolsv.exe
3896	spoolsv.exe
3556	spoolsv.exe
4828	spoolsv.exe
1652	spoolsv.exe
2308	spoolsv.exe
3268	spoolsv.exe
3600	spoolsv.exe
4788	spoolsv.exe
2636	spoolsv.exe
2696	spoolsv.exe
4484	spoolsv.exe
4780	spoolsv.exe
1288	spoolsv.exe
2232	spoolsv.exe
396	spoolsv.exe
4568	spoolsv.exe
2020	spoolsv.exe
4276	spoolsv.exe
1256	spoolsv.exe
2360	spoolsv.exe
4148	spoolsv.exe
2548	spoolsv.exe
2084	spoolsv.exe
3968	spoolsv.exe
980	spoolsv.exe
1640	spoolsv.exe
924	spoolsv.exe
4120	spoolsv.exe
4464	spoolsv.exe
4400	spoolsv.exe
1988	spoolsv.exe
1160	spoolsv.exe
4372	spoolsv.exe
4316	spoolsv.exe
1432	spoolsv.exe
624	spoolsv.exe
1936	spoolsv.exe
636	spoolsv.exe
2920	spoolsv.exe
1724	spoolsv.exe
3428	spoolsv.exe
3588	spoolsv.exe
4696	spoolsv.exe
4996	spoolsv.exe
1836	spoolsv.exe
924	spoolsv.exe
4292	spoolsv.exe
4464	spoolsv.exe
2932	spoolsv.exe
1988	spoolsv.exe
1564	spoolsv.exe
4976	spoolsv.exe
3580	spoolsv.exe
4924	spoolsv.exe
3264	spoolsv.exe
264	spoolsv.exe
1972	spoolsv.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4820-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4820-11-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x00080000000233bb-35.dat	upx
behavioral2/memory/4632-50-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x00080000000233b7-62.dat	upx
behavioral2/files/0x00080000000233c1-77.dat	upx
behavioral2/memory/888-91-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2392-106-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3896-119-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4828-126-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2308-138-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3600-142-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2636-154-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4484-168-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1288-192-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/396-194-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2020-208-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1256-222-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4148-249-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2084-263-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/980-270-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/924-279-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4464-294-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1988-321-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4372-337-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1432-339-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1936-350-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2920-363-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3428-374-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4696-386-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 34 IoCs

description	pid	Process	procid_target
PID 4820 set thread context of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 2668 set thread context of 4416	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	103
PID 2668 set thread context of 3760	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	104
PID 4632 set thread context of 4972	4632	explorer.exe	108
PID 4972 set thread context of 2756	4972	explorer.exe	110
PID 4972 set thread context of 1544	4972	explorer.exe	111
PID 888 set thread context of 3260	888	spoolsv.exe	115
PID 2392 set thread context of 4504	2392	spoolsv.exe	119
PID 3896 set thread context of 3556	3896	spoolsv.exe	123
PID 4828 set thread context of 1652	4828	spoolsv.exe	127
PID 2308 set thread context of 3268	2308	spoolsv.exe	132
PID 3600 set thread context of 4788	3600	spoolsv.exe	136
PID 2636 set thread context of 2696	2636	spoolsv.exe	143
PID 4484 set thread context of 4780	4484	spoolsv.exe	147
PID 1288 set thread context of 2232	1288	spoolsv.exe	151
PID 396 set thread context of 4568	396	spoolsv.exe	158
PID 2020 set thread context of 4276	2020	spoolsv.exe	162
PID 1256 set thread context of 2360	1256	spoolsv.exe	166
PID 4148 set thread context of 2548	4148	spoolsv.exe	170
PID 2084 set thread context of 3968	2084	spoolsv.exe	174
PID 980 set thread context of 1640	980	spoolsv.exe	178
PID 924 set thread context of 4120	924	spoolsv.exe	182
PID 4464 set thread context of 4400	4464	spoolsv.exe	186
PID 1988 set thread context of 1160	1988	spoolsv.exe	190
PID 4372 set thread context of 4316	4372	spoolsv.exe	194
PID 1432 set thread context of 624	1432	spoolsv.exe	198
PID 1936 set thread context of 636	1936	spoolsv.exe	202
PID 2920 set thread context of 1724	2920	spoolsv.exe	206
PID 3428 set thread context of 3588	3428	spoolsv.exe	210
PID 4696 set thread context of 4996	4696	spoolsv.exe	214
PID 1836 set thread context of 924	1836	spoolsv.exe	218
PID 4292 set thread context of 4464	4292	spoolsv.exe	222
PID 2932 set thread context of 1988	2932	spoolsv.exe	226
PID 1564 set thread context of 4976	1564	spoolsv.exe	230

Drops file in Windows directory 33 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
1624	1132	WerFault.exe	309
4192	3392	WerFault.exe	313
1960	1564	WerFault.exe	316
1432	2368	WerFault.exe	319
1972	2308	WerFault.exe	322
3628	372	WerFault.exe	328
4540	4392	WerFault.exe	333
5064	968	WerFault.exe	336
5072	180	WerFault.exe	339
4592	1224	WerFault.exe	342
3468	2844	WerFault.exe	345

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
4416	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
4416	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
4632	explorer.exe
4632	explorer.exe
888	spoolsv.exe
888	spoolsv.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2756	explorer.exe
2392	spoolsv.exe
2392	spoolsv.exe
2756	explorer.exe
2756	explorer.exe
3896	spoolsv.exe
3896	spoolsv.exe
2756	explorer.exe
2756	explorer.exe
4828	spoolsv.exe
4828	spoolsv.exe
2756	explorer.exe
2756	explorer.exe
2308	spoolsv.exe
2308	spoolsv.exe
2756	explorer.exe
2756	explorer.exe
3600	spoolsv.exe
3600	spoolsv.exe
2756	explorer.exe
2756	explorer.exe
2636	spoolsv.exe
2636	spoolsv.exe
2756	explorer.exe
2756	explorer.exe
4484	spoolsv.exe
4484	spoolsv.exe
2756	explorer.exe
2756	explorer.exe
1288	spoolsv.exe
1288	spoolsv.exe
2756	explorer.exe
2756	explorer.exe
396	spoolsv.exe
396	spoolsv.exe
2756	explorer.exe
2756	explorer.exe
2020	spoolsv.exe
2020	spoolsv.exe
2756	explorer.exe
2756	explorer.exe
1256	spoolsv.exe
1256	spoolsv.exe
2756	explorer.exe
2756	explorer.exe
4148	spoolsv.exe
4148	spoolsv.exe
2756	explorer.exe
2756	explorer.exe
2084	spoolsv.exe
2084	spoolsv.exe
2756	explorer.exe
2756	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	4112	dwm.exe
Token: SeChangeNotifyPrivilege	4112	dwm.exe
Token: 33	4112	dwm.exe
Token: SeIncBasePriorityPrivilege	4112	dwm.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
4416	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
4416	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
4632	explorer.exe
4632	explorer.exe
2756	explorer.exe
2756	explorer.exe
888	spoolsv.exe
888	spoolsv.exe
2756	explorer.exe
2756	explorer.exe
2392	spoolsv.exe
2392	spoolsv.exe
3896	spoolsv.exe
3896	spoolsv.exe
4828	spoolsv.exe
4828	spoolsv.exe
2308	spoolsv.exe
2308	spoolsv.exe
3600	spoolsv.exe
3600	spoolsv.exe
2636	spoolsv.exe
2636	spoolsv.exe
4484	spoolsv.exe
4484	spoolsv.exe
1288	spoolsv.exe
1288	spoolsv.exe
396	spoolsv.exe
396	spoolsv.exe
2020	spoolsv.exe
2020	spoolsv.exe
1256	spoolsv.exe
1256	spoolsv.exe
4148	spoolsv.exe
4148	spoolsv.exe
2084	spoolsv.exe
2084	spoolsv.exe
980	spoolsv.exe
980	spoolsv.exe
924	spoolsv.exe
924	spoolsv.exe
4464	spoolsv.exe
4464	spoolsv.exe
1988	spoolsv.exe
1988	spoolsv.exe
4372	spoolsv.exe
4372	spoolsv.exe
1432	spoolsv.exe
1432	spoolsv.exe
1936	spoolsv.exe
1936	spoolsv.exe
2920	spoolsv.exe
2920	spoolsv.exe
3428	spoolsv.exe
3428	spoolsv.exe
4696	spoolsv.exe
4696	spoolsv.exe
1836	spoolsv.exe
1836	spoolsv.exe
4292	spoolsv.exe
4292	spoolsv.exe
2932	spoolsv.exe
2932	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 980	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	84
PID 4820 wrote to memory of 980	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	84
PID 4820 wrote to memory of 980	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	84
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 4820 wrote to memory of 2668	4820	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	89
PID 2668 wrote to memory of 4416	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	103
PID 2668 wrote to memory of 4416	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	103
PID 2668 wrote to memory of 4416	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	103
PID 2668 wrote to memory of 4416	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	103
PID 2668 wrote to memory of 4416	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	103
PID 2668 wrote to memory of 4416	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	103
PID 2668 wrote to memory of 4416	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	103
PID 2668 wrote to memory of 4416	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	103
PID 2668 wrote to memory of 3760	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	104
PID 2668 wrote to memory of 3760	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	104
PID 2668 wrote to memory of 3760	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	104
PID 2668 wrote to memory of 3760	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	104
PID 2668 wrote to memory of 3760	2668	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	104
PID 4416 wrote to memory of 4632	4416	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	105
PID 4416 wrote to memory of 4632	4416	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	105
PID 4416 wrote to memory of 4632	4416	3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe	105
PID 4632 wrote to memory of 3456	4632	explorer.exe	106
PID 4632 wrote to memory of 3456	4632	explorer.exe	106
PID 4632 wrote to memory of 3456	4632	explorer.exe	106
PID 4632 wrote to memory of 4972	4632	explorer.exe	108
PID 4632 wrote to memory of 4972	4632	explorer.exe	108
PID 4632 wrote to memory of 4972	4632	explorer.exe	108
PID 4632 wrote to memory of 4972	4632	explorer.exe	108
PID 4632 wrote to memory of 4972	4632	explorer.exe	108
PID 4632 wrote to memory of 4972	4632	explorer.exe	108
PID 4632 wrote to memory of 4972	4632	explorer.exe	108
PID 4632 wrote to memory of 4972	4632	explorer.exe	108
PID 4632 wrote to memory of 4972	4632	explorer.exe	108
PID 4632 wrote to memory of 4972	4632	explorer.exe	108
PID 4632 wrote to memory of 4972	4632	explorer.exe	108
PID 4632 wrote to memory of 4972	4632	explorer.exe	108
PID 4632 wrote to memory of 4972	4632	explorer.exe	108

C:\Users\Admin\AppData\Local\Temp\3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
"C:\Users\Admin\AppData\Local\Temp\3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:980
- C:\Users\Admin\AppData\Local\Temp\3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
  C:\Users\Admin\AppData\Local\Temp\3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
    C:\Users\Admin\AppData\Local\Temp\3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d.exe
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3456
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:4972
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2756
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:904
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:3260
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1268
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4504
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3796
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2232
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:5028
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:4568
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2360
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:3968
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4644
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1640
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1160
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:3896
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:624
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2764
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:636
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2572
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2636
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:4996
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:388
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:924
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:928
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4464
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2672
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3580
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:4924
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:3264
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:264
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2764
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3324
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:392
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2448
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4540
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3148
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:532
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4304
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2576
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1008
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4148
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1608
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3624
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2404
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3836
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4088
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:5076
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1168
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:5064
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3616
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1124
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3456
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2084
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:5024
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1684
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3244
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4080
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4700
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:348
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3940
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3964
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4236
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:5056
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:5072
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3540
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4040
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2248
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1072
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3404
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:980
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3396
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1452
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4112
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1696
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4760
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4616
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4696
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2264
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:756
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1056
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2176
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1692
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2316
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2088
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1924
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3276
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:388
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1836
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:764
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1852
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1660
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3144
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4452
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:744
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:468
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4532
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:956
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:228
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2960
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:928
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 556
        8⤵
        Program crash
        
        PID:1624
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 504
        8⤵
        Program crash
        
        PID:4192
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 504
        8⤵
        Program crash
        
        PID:1960
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 560
        8⤵
        Program crash
        
        PID:1432
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 556
        8⤵
        Program crash
        
        PID:1972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 548
        8⤵
        Program crash
        
        PID:3628
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 548
        8⤵
        Program crash
        
        PID:4540
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 548
        8⤵
        Program crash
        
        PID:5064
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 180 -s 552
        8⤵
        Program crash
        
        PID:5072
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 552
        8⤵
        Program crash
        
        PID:4592
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 548
        8⤵
        Program crash
        
        PID:3468
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1544
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1132 -ip 1132
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3392 -ip 3392
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1564 -ip 1564
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2368 -ip 2368
1⤵
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2308 -ip 2308
1⤵
PID:3744

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 372 -ip 372
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4392 -ip 4392
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 968 -ip 968
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 180 -ip 180
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1224 -ip 1224
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2844 -ip 2844
1⤵
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
6.1MB

MD5
10ccfb48b3fdac746af0a198cd947288

SHA1
71200c1c2a052da712f1b086578f68cf5a4388af

SHA256
3862972f557cdda70fcc672a92efd171f1de7324481fb3367e46afe94e79ac2d

SHA512
e6b8830e70c8c11d69a33277a96cb8a0bf4bf485641440ffd754ff176b07eb112905d39b564a0438adb7b3c45eb04b8a1b9275a7549c97f33f351ab95d65fead

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe

Filesize
6.1MB

MD5
1b8282f074f3e962841fc7d994815ecb

SHA1
5be02e168d64c73c2af662f050c0c23859e802ac

SHA256
7e26cb74736d297f1f5f5b1dacf14a85a24d1b55a1dba4b90d8b940d9707fb1a

SHA512
30035c5202db70ffc4adf0a42c4dbe0b03b3c90ddac8df76c5ce801c65f175d9021a286bb659cb84a9155eaf8039384092ba386455425209fe07635629a76782

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
6.1MB

MD5
2fc047d61edb3feb4d6e609e2d097ca2

SHA1
1dd032e550d5617efbcecf96d1784f5db2dc57be

SHA256
47564c6574774db48686579c945d12922edbe1ea6a9cd105563485500b562822

SHA512
cfbabfd2821fb912acc9a3e7a42ce172bc2e0fde85174405328ade7175d9716f5a6c5061607d291af58c032e1bea182f80ce554dfddc6263878a3e49adefb74a

Download Submit
memory/396-194-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/624-349-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/636-361-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/888-91-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/924-279-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/980-270-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1160-320-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1256-222-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1288-192-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1432-339-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1640-271-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1652-125-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1724-373-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1936-350-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1988-321-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2020-208-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2084-263-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2232-188-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2308-138-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2360-235-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2392-106-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2548-248-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2636-154-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2668-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2668-12-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2668-14-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2668-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2668-9-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2668-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2668-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2668-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2668-33-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2668-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2668-4-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2668-13-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2668-5-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2668-6-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2696-165-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2756-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-363-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3260-88-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3260-85-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3260-89-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3260-90-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3260-86-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3260-87-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3268-140-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/3268-132-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/3428-374-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3556-117-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3556-115-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3556-118-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3556-113-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3556-116-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3556-114-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3588-384-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3600-142-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3760-23-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3760-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3760-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3896-119-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3968-262-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4120-292-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4148-249-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4276-220-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4316-336-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4372-337-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4400-306-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4416-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-22-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4416-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4464-294-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4484-168-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4504-103-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4504-105-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4504-102-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4504-104-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4504-101-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4504-100-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4568-206-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4632-50-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4696-386-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4780-179-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4788-152-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4820-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4820-11-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4828-126-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4972-69-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4972-44-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4972-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4972-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4972-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4972-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4972-47-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4972-54-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4972-71-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download