warzonerat | f6e87fb34289886533ec31c35176532715b24660dc4bed371afed502076f22f6

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40.exe
Size

2.7MB
MD5

8c8ba1826ba6aa186205ee0c0c26c11b
SHA1

0f47a429a527afecc785419191931e75d241c865
SHA256

48a21129f65cb76b43e36c11e1ab28fec2a1b9c8cc4c84fbb0bb9bc14e205dcf
SHA512

50f213abe257a0483c67d9acba6026044e05250cfbad3d9dece901ec51b759b289dd37263e9ab5350a78af3999c2961489900430348baf9a215ac97a0774dd38
SSDEEP

24576:ssF6mZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eH811:fF6mw4gxeOw46fUbNecCCFbNecD

Score

10^/10

warzonerat discovery evasion infostealer persistence rat upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x000700000001938e-89.dat	warzonerat
behavioral1/files/0x000600000001937b-171.dat	warzonerat
behavioral1/files/0x00090000000193a8-188.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 28 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2352	explorer.exe
2792	explorer.exe
3060	explorer.exe
2248	spoolsv.exe
684	spoolsv.exe
2404	spoolsv.exe
388	spoolsv.exe
2896	spoolsv.exe
2784	spoolsv.exe
876	spoolsv.exe
1872	spoolsv.exe
1516	spoolsv.exe
2924	spoolsv.exe
2316	spoolsv.exe
1556	spoolsv.exe
1420	spoolsv.exe
1940	spoolsv.exe
2616	spoolsv.exe
2800	spoolsv.exe
1684	spoolsv.exe
1104	spoolsv.exe
1184	spoolsv.exe
2120	spoolsv.exe
1216	spoolsv.exe
2936	spoolsv.exe
1708	spoolsv.exe
1740	spoolsv.exe
1748	spoolsv.exe
2624	spoolsv.exe
2324	spoolsv.exe
2880	spoolsv.exe
1620	spoolsv.exe
1912	spoolsv.exe
1712	spoolsv.exe
1780	spoolsv.exe
1120	spoolsv.exe
1784	spoolsv.exe
2672	spoolsv.exe
1944	spoolsv.exe
2192	spoolsv.exe
2012	spoolsv.exe
2640	spoolsv.exe
584	spoolsv.exe
1744	spoolsv.exe
2944	spoolsv.exe
1300	spoolsv.exe
2272	spoolsv.exe
2316	spoolsv.exe
1272	spoolsv.exe
3068	spoolsv.exe
1748	spoolsv.exe
2748	spoolsv.exe
2064	spoolsv.exe
2052	spoolsv.exe
2168	spoolsv.exe
2196	spoolsv.exe
2296	spoolsv.exe
836	spoolsv.exe
2716	spoolsv.exe
2184	spoolsv.exe
2544	spoolsv.exe
2608	spoolsv.exe
1500	spoolsv.exe
812	spoolsv.exe

Loads dropped DLL 64 IoCs

pid	Process
636	40.exe
636	40.exe
3060	explorer.exe
3060	explorer.exe
2248	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
2404	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
2896	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
876	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
1516	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
2316	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
1420	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
2616	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
1684	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
1184	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
1216	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
1708	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
1748	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
2324	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
1620	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
1712	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
1120	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
2672	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
2192	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
2640	spoolsv.exe
3060	explorer.exe
3060	explorer.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2568-0-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2568-42-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/files/0x000700000001938e-89.dat	upx
behavioral1/memory/2352-143-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/files/0x000600000001937b-171.dat	upx
behavioral1/files/0x00090000000193a8-188.dat	upx
behavioral1/memory/2248-243-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2404-253-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2896-308-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/876-361-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/876-407-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1516-463-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2316-475-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3060-473-0x00000000025A0000-0x00000000025E5000-memory.dmp	upx
behavioral1/memory/1420-531-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3060-591-0x00000000025A0000-0x00000000025E5000-memory.dmp	upx
behavioral1/memory/2616-589-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1420-563-0x00000000002A0000-0x00000000002E5000-memory.dmp	upx
behavioral1/memory/1684-647-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1184-702-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1216-753-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1216-760-0x00000000003B0000-0x00000000003F5000-memory.dmp	upx
behavioral1/memory/1708-802-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1748-854-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2324-905-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2324-925-0x00000000004D0000-0x0000000000515000-memory.dmp	upx
behavioral1/memory/1620-958-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1712-1011-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3060-1009-0x00000000025A0000-0x00000000025E5000-memory.dmp	upx
behavioral1/memory/3060-1008-0x00000000025A0000-0x00000000025E5000-memory.dmp	upx
behavioral1/memory/3060-1062-0x00000000025A0000-0x00000000025E5000-memory.dmp	upx
behavioral1/memory/1120-1061-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2672-1112-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2192-1165-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3060-1164-0x00000000025A0000-0x00000000025E5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	40.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2568 set thread context of 2172	2568	40.exe	32
PID 2172 set thread context of 636	2172	40.exe	34
PID 2172 set thread context of 1992	2172	40.exe	35
PID 2352 set thread context of 2792	2352	explorer.exe	39
PID 2792 set thread context of 3060	2792	explorer.exe	40
PID 2792 set thread context of 2576	2792	explorer.exe	41
PID 2248 set thread context of 684	2248	spoolsv.exe	45
PID 2404 set thread context of 388	2404	spoolsv.exe	49
PID 2896 set thread context of 2784	2896	spoolsv.exe	52
PID 876 set thread context of 1872	876	spoolsv.exe	56
PID 1516 set thread context of 2924	1516	spoolsv.exe	60
PID 2316 set thread context of 1556	2316	spoolsv.exe	64
PID 1420 set thread context of 1940	1420	spoolsv.exe	68
PID 2616 set thread context of 2800	2616	spoolsv.exe	72
PID 1684 set thread context of 1104	1684	spoolsv.exe	76
PID 1184 set thread context of 2120	1184	spoolsv.exe	80
PID 1216 set thread context of 2936	1216	spoolsv.exe	84
PID 1708 set thread context of 1740	1708	spoolsv.exe	88
PID 1748 set thread context of 2624	1748	spoolsv.exe	92
PID 2324 set thread context of 2880	2324	spoolsv.exe	96
PID 1620 set thread context of 1912	1620	spoolsv.exe	100
PID 1712 set thread context of 1780	1712	spoolsv.exe	104
PID 1120 set thread context of 1784	1120	spoolsv.exe	108
PID 2672 set thread context of 1944	2672	spoolsv.exe	112
PID 2192 set thread context of 2012	2192	spoolsv.exe	116
PID 2640 set thread context of 584	2640	spoolsv.exe	120
PID 1744 set thread context of 2944	1744	spoolsv.exe	124
PID 1300 set thread context of 2272	1300	spoolsv.exe	128
PID 2316 set thread context of 1272	2316	spoolsv.exe	132
PID 3068 set thread context of 1748	3068	spoolsv.exe	136
PID 2748 set thread context of 2064	2748	spoolsv.exe	140
PID 2052 set thread context of 2168	2052	spoolsv.exe	144
PID 2196 set thread context of 2296	2196	spoolsv.exe	148
PID 836 set thread context of 2716	836	spoolsv.exe	152
PID 2184 set thread context of 2544	2184	spoolsv.exe	156
PID 2608 set thread context of 1500	2608	spoolsv.exe	160
PID 812 set thread context of 2780	812	spoolsv.exe	164
PID 684 set thread context of 328	684	spoolsv.exe	169
PID 1080 set thread context of 1612	1080	spoolsv.exe	168
PID 684 set thread context of 2932	684	spoolsv.exe	170
PID 388 set thread context of 2512	388	spoolsv.exe	178
PID 388 set thread context of 1164	388	spoolsv.exe	179
PID 1640 set thread context of 1580	1640	spoolsv.exe	177
PID 548 set thread context of 1888	548	explorer.exe	180
PID 2784 set thread context of 1536	2784	spoolsv.exe	184
PID 2784 set thread context of 2444	2784	spoolsv.exe	185
PID 1248 set thread context of 2856	1248	spoolsv.exe	189
PID 1872 set thread context of 1732	1872	spoolsv.exe	193
PID 952 set thread context of 2588	952	explorer.exe	190
PID 1872 set thread context of 1184	1872	spoolsv.exe	194
PID 1216 set thread context of 2004	1216	spoolsv.exe	196
PID 2924 set thread context of 2056	2924	spoolsv.exe	200
PID 2924 set thread context of 748	2924	spoolsv.exe	201
PID 1088 set thread context of 2356	1088	spoolsv.exe	205
PID 1556 set thread context of 1928	1556	spoolsv.exe	210
PID 1556 set thread context of 2376	1556	spoolsv.exe	211
PID 2660 set thread context of 1212	2660	spoolsv.exe	212
PID 2324 set thread context of 2644	2324	explorer.exe	207
PID 1940 set thread context of 1852	1940	spoolsv.exe	215
PID 1940 set thread context of 852	1940	spoolsv.exe	216
PID 1920 set thread context of 2156	1920	spoolsv.exe	217
PID 2800 set thread context of 2536	2800	spoolsv.exe	220
PID 2800 set thread context of 276	2800	spoolsv.exe	221
PID 1540 set thread context of 2416	1540	spoolsv.exe	226

Drops file in Windows directory 50 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	40.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	40.exe
636	40.exe
2352	explorer.exe
2248	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
2404	spoolsv.exe
3060	explorer.exe
2896	spoolsv.exe
3060	explorer.exe
876	spoolsv.exe
3060	explorer.exe
1516	spoolsv.exe
3060	explorer.exe
2316	spoolsv.exe
3060	explorer.exe
1420	spoolsv.exe
3060	explorer.exe
2616	spoolsv.exe
3060	explorer.exe
1684	spoolsv.exe
3060	explorer.exe
1184	spoolsv.exe
3060	explorer.exe
1216	spoolsv.exe
3060	explorer.exe
1708	spoolsv.exe
3060	explorer.exe
1748	spoolsv.exe
3060	explorer.exe
2324	spoolsv.exe
3060	explorer.exe
1620	spoolsv.exe
3060	explorer.exe
1712	spoolsv.exe
3060	explorer.exe
1120	spoolsv.exe
3060	explorer.exe
2672	spoolsv.exe
3060	explorer.exe
2192	spoolsv.exe
3060	explorer.exe
2640	spoolsv.exe
3060	explorer.exe
1744	spoolsv.exe
3060	explorer.exe
1300	spoolsv.exe
3060	explorer.exe
2316	spoolsv.exe
3060	explorer.exe
3068	spoolsv.exe
3060	explorer.exe
2748	spoolsv.exe
3060	explorer.exe
2052	spoolsv.exe
3060	explorer.exe
2196	spoolsv.exe
3060	explorer.exe
836	spoolsv.exe
3060	explorer.exe
2184	spoolsv.exe
3060	explorer.exe
2608	spoolsv.exe
3060	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2568	40.exe
2568	40.exe
636	40.exe
636	40.exe
2352	explorer.exe
2352	explorer.exe
3060	explorer.exe
3060	explorer.exe
2248	spoolsv.exe
2248	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
2404	spoolsv.exe
2404	spoolsv.exe
2896	spoolsv.exe
2896	spoolsv.exe
876	spoolsv.exe
876	spoolsv.exe
1516	spoolsv.exe
1516	spoolsv.exe
2316	spoolsv.exe
2316	spoolsv.exe
1420	spoolsv.exe
1420	spoolsv.exe
2616	spoolsv.exe
2616	spoolsv.exe
1684	spoolsv.exe
1684	spoolsv.exe
1184	spoolsv.exe
1184	spoolsv.exe
1216	spoolsv.exe
1216	spoolsv.exe
1708	spoolsv.exe
1708	spoolsv.exe
1748	spoolsv.exe
1748	spoolsv.exe
2324	spoolsv.exe
2324	spoolsv.exe
1620	spoolsv.exe
1620	spoolsv.exe
1712	spoolsv.exe
1712	spoolsv.exe
1120	spoolsv.exe
1120	spoolsv.exe
2672	spoolsv.exe
2672	spoolsv.exe
2192	spoolsv.exe
2192	spoolsv.exe
2640	spoolsv.exe
2640	spoolsv.exe
1744	spoolsv.exe
1744	spoolsv.exe
1300	spoolsv.exe
1300	spoolsv.exe
2316	spoolsv.exe
2316	spoolsv.exe
3068	spoolsv.exe
3068	spoolsv.exe
2748	spoolsv.exe
2748	spoolsv.exe
2052	spoolsv.exe
2052	spoolsv.exe
2196	spoolsv.exe
2196	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2404	2568	40.exe	30
PID 2568 wrote to memory of 2404	2568	40.exe	30
PID 2568 wrote to memory of 2404	2568	40.exe	30
PID 2568 wrote to memory of 2404	2568	40.exe	30
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2568 wrote to memory of 2172	2568	40.exe	32
PID 2172 wrote to memory of 636	2172	40.exe	34
PID 2172 wrote to memory of 636	2172	40.exe	34
PID 2172 wrote to memory of 636	2172	40.exe	34
PID 2172 wrote to memory of 636	2172	40.exe	34
PID 2172 wrote to memory of 636	2172	40.exe	34
PID 2172 wrote to memory of 636	2172	40.exe	34
PID 2172 wrote to memory of 636	2172	40.exe	34
PID 2172 wrote to memory of 636	2172	40.exe	34
PID 2172 wrote to memory of 636	2172	40.exe	34
PID 2172 wrote to memory of 1992	2172	40.exe	35
PID 2172 wrote to memory of 1992	2172	40.exe	35
PID 2172 wrote to memory of 1992	2172	40.exe	35
PID 2172 wrote to memory of 1992	2172	40.exe	35
PID 2172 wrote to memory of 1992	2172	40.exe	35
PID 2172 wrote to memory of 1992	2172	40.exe	35
PID 636 wrote to memory of 2352	636	40.exe	36
PID 636 wrote to memory of 2352	636	40.exe	36
PID 636 wrote to memory of 2352	636	40.exe	36
PID 636 wrote to memory of 2352	636	40.exe	36
PID 2352 wrote to memory of 1712	2352	explorer.exe	37
PID 2352 wrote to memory of 1712	2352	explorer.exe	37
PID 2352 wrote to memory of 1712	2352	explorer.exe	37
PID 2352 wrote to memory of 1712	2352	explorer.exe	37
PID 2352 wrote to memory of 2792	2352	explorer.exe	39
PID 2352 wrote to memory of 2792	2352	explorer.exe	39
PID 2352 wrote to memory of 2792	2352	explorer.exe	39
PID 2352 wrote to memory of 2792	2352	explorer.exe	39
PID 2352 wrote to memory of 2792	2352	explorer.exe	39
PID 2352 wrote to memory of 2792	2352	explorer.exe	39
PID 2352 wrote to memory of 2792	2352	explorer.exe	39
PID 2352 wrote to memory of 2792	2352	explorer.exe	39
PID 2352 wrote to memory of 2792	2352	explorer.exe	39
PID 2352 wrote to memory of 2792	2352	explorer.exe	39
PID 2352 wrote to memory of 2792	2352	explorer.exe	39
PID 2352 wrote to memory of 2792	2352	explorer.exe	39
PID 2352 wrote to memory of 2792	2352	explorer.exe	39
PID 2352 wrote to memory of 2792	2352	explorer.exe	39

C:\Users\Admin\AppData\Local\Temp\40.exe
"C:\Users\Admin\AppData\Local\Temp\40.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\40.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\40.exe
  C:\Users\Admin\AppData\Local\Temp\40.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\40.exe
    C:\Users\Admin\AppData\Local\Temp\40.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:636
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1712
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2792
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2056
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:684
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:328
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1576
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2932
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:388
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1164
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2628
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        
        PID:896
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2444
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2440
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1184
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2364
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2056
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        
        PID:408
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:748
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:956
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2376
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1652
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1940
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:852
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2324
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2800
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2536
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        
        PID:2772
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:276
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1852
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1104
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:920
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1712
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:792
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        
        PID:836
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1160
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1364
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1588
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1740
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2872
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2624
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2616
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2880
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2960
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1912
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1184
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:444
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1784
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2204
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2012
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2780
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:584
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2892
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1920
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2272
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1272
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1748
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:952
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2064
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2960
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2712
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:888
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2740
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2468
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1236
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2780
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2708
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1580
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2432
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2004
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:276
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2904
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1212
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3028
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2156
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2436
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2368
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:444
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2392
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2552
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2576
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.7MB

MD5
8c8ba1826ba6aa186205ee0c0c26c11b

SHA1
0f47a429a527afecc785419191931e75d241c865

SHA256
48a21129f65cb76b43e36c11e1ab28fec2a1b9c8cc4c84fbb0bb9bc14e205dcf

SHA512
50f213abe257a0483c67d9acba6026044e05250cfbad3d9dece901ec51b759b289dd37263e9ab5350a78af3999c2961489900430348baf9a215ac97a0774dd38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.7MB

MD5
9cf644d42e36b7fa6cb478fe051df44c

SHA1
a3408d149f35a4bd87fa2f48d17305858bbf8728

SHA256
5c7c6d766f120e551bda7f89eb8ba62e77a5e168a3e15088b26488aaaac09fef

SHA512
7d8f70a4a16283ac964890b587e6331ae58e058d8220507805bab9707dfe1f798ab4c1ffcb6ba2097b69fd295707b085dbb1b518e077b874e1da128ac9e83257

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.7MB

MD5
aa9f09a71ea19028719ad0c310f72de7

SHA1
7679b55ab712f4023f31d8595e010c238b3812b9

SHA256
40fa7124da40d703743be28eaaec9b54fcbd20e3f513eaaeba58212eda380cb3

SHA512
ccda319d9a39127255f1c215bcf9e0aaa331d6bd75c310eb04a3d62e5f7e57b862bccc2844369ba44626b158f179db1c9c7f9ddbcf13290eca18f9caf7a0f124

Download Submit
memory/388-305-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/636-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/636-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/636-97-0x00000000028E0000-0x0000000002925000-memory.dmp

Filesize
276KB

Download
memory/636-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/636-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/636-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/636-147-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/684-249-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/876-407-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/876-361-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1104-701-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1120-1061-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1184-702-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1184-706-0x0000000000320000-0x0000000000365000-memory.dmp

Filesize
276KB

Download
memory/1216-760-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/1216-753-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1420-531-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1420-563-0x00000000002A0000-0x00000000002E5000-memory.dmp

Filesize
276KB

Download
memory/1516-463-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1556-525-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1620-958-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1620-964-0x0000000001B90000-0x0000000001BD5000-memory.dmp

Filesize
276KB

Download
memory/1684-647-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1708-802-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1712-1011-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1712-1017-0x00000000003B0000-0x00000000003F5000-memory.dmp

Filesize
276KB

Download
memory/1740-853-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1748-854-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1780-1060-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1784-1110-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1872-413-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1912-1010-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1940-585-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1944-1163-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1992-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1992-83-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-1216-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2120-752-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2172-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-51-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-32-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-17-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-36-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-15-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-52-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2172-13-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-53-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2172-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-39-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-23-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-41-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2172-3-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-2-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2172-50-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2172-22-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2172-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-88-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2172-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-45-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2172-47-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-43-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2172-20-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2172-49-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2192-1173-0x0000000000300000-0x0000000000345000-memory.dmp

Filesize
276KB

Download
memory/2192-1165-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2248-243-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2316-487-0x00000000004D0000-0x0000000000515000-memory.dmp

Filesize
276KB

Download
memory/2316-475-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2324-925-0x00000000004D0000-0x0000000000515000-memory.dmp

Filesize
276KB

Download
memory/2324-905-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2352-143-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2404-253-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2568-42-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2568-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2616-589-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2624-903-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2672-1131-0x0000000000390000-0x00000000003D5000-memory.dmp

Filesize
276KB

Download
memory/2672-1112-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2784-356-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2792-144-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2792-181-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2800-642-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2880-957-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2896-308-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2924-474-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2936-800-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3060-955-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-1009-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-562-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-852-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-901-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-590-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-591-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-904-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-902-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-529-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-956-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-530-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-851-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-750-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-472-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-473-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-751-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-536-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-1008-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-1007-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-417-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-1063-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-1062-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-418-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-1059-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-365-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-322-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-801-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-1111-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-306-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-195-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-187-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3060-1164-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-649-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-648-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download
memory/3060-1171-0x00000000025A0000-0x00000000025E5000-memory.dmp

Filesize
276KB

Download