warzonerat | f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61b

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
Size

2.9MB
MD5

8a562c3b213c76e1982a2f4642b13f50
SHA1

1f83c9201da2db2418b8da6bba327c8e7e36b6ab
SHA256

f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61b
SHA512

58b180cf1a055f347206e94e59a1607daf00505311201b942256fd1baa8ba38c7ef5b6d57bc7dd69ba0b41fe81339a23168404463491ee4b53cd15606d7d5214
SSDEEP

24576:ATU7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHo:ATU7AAmw4gxeOw46fUbNecCCFbNecD

Score

10^/10

warzonerat discovery evasion infostealer persistence rat upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023cb2-34.dat	warzonerat
behavioral2/files/0x0008000000023cb0-62.dat	warzonerat
behavioral2/files/0x0008000000023cb6-78.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe

Drops startup file 27 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 52 IoCs

pid	Process
1608	explorer.exe
2400	explorer.exe
4252	explorer.exe
4772	spoolsv.exe
3108	spoolsv.exe
4360	spoolsv.exe
3796	spoolsv.exe
4040	spoolsv.exe
1520	spoolsv.exe
3772	spoolsv.exe
2308	spoolsv.exe
2124	spoolsv.exe
4512	spoolsv.exe
5028	spoolsv.exe
4488	spoolsv.exe
2660	spoolsv.exe
228	spoolsv.exe
864	spoolsv.exe
3592	spoolsv.exe
964	spoolsv.exe
3888	spoolsv.exe
1540	spoolsv.exe
4788	spoolsv.exe
3408	spoolsv.exe
1220	spoolsv.exe
2040	spoolsv.exe
3348	spoolsv.exe
4724	spoolsv.exe
4032	spoolsv.exe
5016	spoolsv.exe
1480	spoolsv.exe
4564	spoolsv.exe
3268	spoolsv.exe
1064	spoolsv.exe
2512	spoolsv.exe
4676	spoolsv.exe
4284	spoolsv.exe
1788	spoolsv.exe
512	spoolsv.exe
4232	spoolsv.exe
2204	spoolsv.exe
916	spoolsv.exe
776	spoolsv.exe
1980	spoolsv.exe
864	spoolsv.exe
2632	spoolsv.exe
224	spoolsv.exe
3008	spoolsv.exe
932	spoolsv.exe
2040	spoolsv.exe
1424	spoolsv.exe
2176	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 30 IoCs

description	pid	Process	procid_target
PID 4284 set thread context of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4748 set thread context of 1988	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	91
PID 4748 set thread context of 4432	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	92
PID 1608 set thread context of 2400	1608	explorer.exe	96
PID 2400 set thread context of 4252	2400	explorer.exe	97
PID 2400 set thread context of 736	2400	explorer.exe	98
PID 4772 set thread context of 3108	4772	spoolsv.exe	102
PID 4360 set thread context of 3796	4360	spoolsv.exe	106
PID 4040 set thread context of 1520	4040	spoolsv.exe	110
PID 3772 set thread context of 2308	3772	spoolsv.exe	114
PID 2124 set thread context of 4512	2124	spoolsv.exe	118
PID 5028 set thread context of 4488	5028	spoolsv.exe	122
PID 2660 set thread context of 228	2660	spoolsv.exe	126
PID 864 set thread context of 3592	864	spoolsv.exe	130
PID 964 set thread context of 3888	964	spoolsv.exe	134
PID 1540 set thread context of 4788	1540	spoolsv.exe	138
PID 3408 set thread context of 1220	3408	spoolsv.exe	142
PID 2040 set thread context of 3348	2040	spoolsv.exe	146
PID 4724 set thread context of 4032	4724	spoolsv.exe	150
PID 5016 set thread context of 1480	5016	spoolsv.exe	154
PID 4564 set thread context of 3268	4564	spoolsv.exe	158
PID 1064 set thread context of 2512	1064	spoolsv.exe	162
PID 4676 set thread context of 4284	4676	spoolsv.exe	166
PID 1788 set thread context of 512	1788	spoolsv.exe	170
PID 4232 set thread context of 2204	4232	spoolsv.exe	174
PID 916 set thread context of 776	916	spoolsv.exe	178
PID 1980 set thread context of 864	1980	spoolsv.exe	182
PID 2632 set thread context of 224	2632	spoolsv.exe	186
PID 3008 set thread context of 932	3008	spoolsv.exe	190
PID 2040 set thread context of 1424	2040	spoolsv.exe	194

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4284-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4284-11-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x0009000000023cb2-34.dat	upx
behavioral2/memory/1608-38-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1608-50-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x0008000000023cb0-62.dat	upx
behavioral2/files/0x0008000000023cb6-78.dat	upx
behavioral2/memory/4772-80-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4360-106-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4040-108-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3772-121-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2124-145-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/5028-147-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2660-173-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/864-185-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/964-197-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1540-199-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1540-211-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3408-224-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2040-238-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4724-251-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/5016-265-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4564-268-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1064-282-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4676-306-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1788-309-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4232-323-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/916-346-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1980-358-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2632-370-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3008-381-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2040-384-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2176-397-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Drops file in Windows directory 29 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
1988	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
1988	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
1608	explorer.exe
1608	explorer.exe
4772	spoolsv.exe
4772	spoolsv.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4252	explorer.exe
4360	spoolsv.exe
4360	spoolsv.exe
4252	explorer.exe
4252	explorer.exe
4040	spoolsv.exe
4040	spoolsv.exe
4252	explorer.exe
4252	explorer.exe
3772	spoolsv.exe
3772	spoolsv.exe
4252	explorer.exe
4252	explorer.exe
2124	spoolsv.exe
2124	spoolsv.exe
4252	explorer.exe
4252	explorer.exe
5028	spoolsv.exe
5028	spoolsv.exe
4252	explorer.exe
4252	explorer.exe
2660	spoolsv.exe
2660	spoolsv.exe
4252	explorer.exe
4252	explorer.exe
864	spoolsv.exe
864	spoolsv.exe
4252	explorer.exe
4252	explorer.exe
964	spoolsv.exe
964	spoolsv.exe
4252	explorer.exe
4252	explorer.exe
1540	spoolsv.exe
1540	spoolsv.exe
4252	explorer.exe
4252	explorer.exe
3408	spoolsv.exe
3408	spoolsv.exe
4252	explorer.exe
4252	explorer.exe
2040	spoolsv.exe
2040	spoolsv.exe
4252	explorer.exe
4252	explorer.exe
4724	spoolsv.exe
4724	spoolsv.exe
4252	explorer.exe
4252	explorer.exe
5016	spoolsv.exe
5016	spoolsv.exe
4252	explorer.exe
4252	explorer.exe

Suspicious use of SetWindowsHookEx 60 IoCs

pid	Process
4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
1988	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
1988	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
1608	explorer.exe
1608	explorer.exe
4252	explorer.exe
4252	explorer.exe
4772	spoolsv.exe
4772	spoolsv.exe
4252	explorer.exe
4252	explorer.exe
4360	spoolsv.exe
4360	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe
3772	spoolsv.exe
3772	spoolsv.exe
2124	spoolsv.exe
2124	spoolsv.exe
5028	spoolsv.exe
5028	spoolsv.exe
2660	spoolsv.exe
2660	spoolsv.exe
864	spoolsv.exe
864	spoolsv.exe
964	spoolsv.exe
964	spoolsv.exe
1540	spoolsv.exe
1540	spoolsv.exe
3408	spoolsv.exe
3408	spoolsv.exe
2040	spoolsv.exe
2040	spoolsv.exe
4724	spoolsv.exe
4724	spoolsv.exe
5016	spoolsv.exe
5016	spoolsv.exe
4564	spoolsv.exe
4564	spoolsv.exe
1064	spoolsv.exe
1064	spoolsv.exe
4676	spoolsv.exe
4676	spoolsv.exe
1788	spoolsv.exe
1788	spoolsv.exe
4232	spoolsv.exe
4232	spoolsv.exe
916	spoolsv.exe
916	spoolsv.exe
1980	spoolsv.exe
1980	spoolsv.exe
2632	spoolsv.exe
2632	spoolsv.exe
3008	spoolsv.exe
3008	spoolsv.exe
2040	spoolsv.exe
2040	spoolsv.exe
2176	spoolsv.exe
2176	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 3064	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	83
PID 4284 wrote to memory of 3064	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	83
PID 4284 wrote to memory of 3064	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	83
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4284 wrote to memory of 4748	4284	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	87
PID 4748 wrote to memory of 1988	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	91
PID 4748 wrote to memory of 1988	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	91
PID 4748 wrote to memory of 1988	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	91
PID 4748 wrote to memory of 1988	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	91
PID 4748 wrote to memory of 1988	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	91
PID 4748 wrote to memory of 1988	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	91
PID 4748 wrote to memory of 1988	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	91
PID 4748 wrote to memory of 1988	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	91
PID 4748 wrote to memory of 4432	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	92
PID 4748 wrote to memory of 4432	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	92
PID 4748 wrote to memory of 4432	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	92
PID 4748 wrote to memory of 4432	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	92
PID 4748 wrote to memory of 4432	4748	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	92
PID 1988 wrote to memory of 1608	1988	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	93
PID 1988 wrote to memory of 1608	1988	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	93
PID 1988 wrote to memory of 1608	1988	f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe	93
PID 1608 wrote to memory of 2168	1608	explorer.exe	94
PID 1608 wrote to memory of 2168	1608	explorer.exe	94
PID 1608 wrote to memory of 2168	1608	explorer.exe	94
PID 1608 wrote to memory of 2400	1608	explorer.exe	96
PID 1608 wrote to memory of 2400	1608	explorer.exe	96
PID 1608 wrote to memory of 2400	1608	explorer.exe	96
PID 1608 wrote to memory of 2400	1608	explorer.exe	96
PID 1608 wrote to memory of 2400	1608	explorer.exe	96
PID 1608 wrote to memory of 2400	1608	explorer.exe	96
PID 1608 wrote to memory of 2400	1608	explorer.exe	96
PID 1608 wrote to memory of 2400	1608	explorer.exe	96
PID 1608 wrote to memory of 2400	1608	explorer.exe	96
PID 1608 wrote to memory of 2400	1608	explorer.exe	96
PID 1608 wrote to memory of 2400	1608	explorer.exe	96
PID 1608 wrote to memory of 2400	1608	explorer.exe	96
PID 1608 wrote to memory of 2400	1608	explorer.exe	96

C:\Users\Admin\AppData\Local\Temp\f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
"C:\Users\Admin\AppData\Local\Temp\f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
  C:\Users\Admin\AppData\Local\Temp\f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Users\Admin\AppData\Local\Temp\f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
    C:\Users\Admin\AppData\Local\Temp\f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61bN.exe
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2168
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2400
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4252
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2300
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:4512
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2252
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:4488
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:228
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:4140
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3360
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:4788
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:512
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:776
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1636
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:864
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:224
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:932
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4996
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:736
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
8a562c3b213c76e1982a2f4642b13f50

SHA1
1f83c9201da2db2418b8da6bba327c8e7e36b6ab

SHA256
f402e412e78a60f2afc12789ae3229568effd05ca2ce1736bfc230c87cecf61b

SHA512
58b180cf1a055f347206e94e59a1607daf00505311201b942256fd1baa8ba38c7ef5b6d57bc7dd69ba0b41fe81339a23168404463491ee4b53cd15606d7d5214

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.9MB

MD5
4a39b65e750c9d4c3dfe0fb6db9bb213

SHA1
c6c29a05baa9496dde66be3254f38c8e74da79b7

SHA256
5295b9840c746322c44012165f547ebd16b3767db52799e9ca65d3578a6f9e1a

SHA512
b65a843f1e1511251617922669a7073ff98f79a24fd4f38bf63fdf09598d4fd0412fb61f1e5d3f76a34492301f111f1f10de8e845789adcf2d616174551d4ed6

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.9MB

MD5
8c6ee987690ef18b7738002069868eb5

SHA1
5a5a84fb943314ef0ba9b7ade741b790ede0b18b

SHA256
b4e4af9355b21d2eb98c6dd902da82c683a591df628f32b389a6b1c2d565a705

SHA512
11ac4b3ed250b16a608693110a03c03d22b8a5acc04b9f24105081beabba3ce13da3b78f0d77b5c869316640e13f92f879fa379d153b7a06767dff2e62527ac3

Download Submit
memory/224-369-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/228-172-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/512-321-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/776-343-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/864-357-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/864-185-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/916-346-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/932-380-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/964-197-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1064-282-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1220-223-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1424-394-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1480-264-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1520-119-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1540-211-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1540-199-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1608-50-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1608-38-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1788-309-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1980-358-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1988-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1988-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1988-21-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2040-238-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2040-384-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2124-145-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2176-397-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2204-332-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2308-132-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2400-49-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2400-69-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2400-47-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2400-44-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2400-74-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2400-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2400-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2400-54-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2400-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2632-370-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2660-173-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3008-381-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3108-90-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3108-86-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3108-89-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3108-91-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3108-87-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3108-88-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3348-237-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3408-224-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3772-121-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3796-101-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3796-104-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3796-100-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3796-105-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3796-103-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3796-102-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4032-252-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4040-108-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4232-323-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4252-65-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4284-11-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4284-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4284-307-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4360-106-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4432-26-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4432-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4432-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4488-159-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4512-144-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4564-268-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4676-306-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4724-251-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4748-4-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4748-7-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4748-31-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4748-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4748-13-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4748-10-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/4748-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4748-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4748-9-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4748-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4748-12-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4748-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4748-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4772-80-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5016-265-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5028-147-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download