warzonerat | d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
Size

2.9MB
MD5

9ec16d54e92c1c9237d7faf403bb2961
SHA1

b907d57602110f3ed92399e53e18bf7cf2aada8b
SHA256

d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a
SHA512

42bb161204885e3b84d356e39b6e72eba61a72a7d6f1c03ca97f03cfbd2c1a3acd1d3f681537e34f1ff49a492510bfd12fd432b90b5a9a72c8e313aa22cbeba3
SSDEEP

24576:ATU7AfmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHY:ATU7Afmw4gxeOw46fUbNecCCFbNecZ

Score

10^/10

warzonerat discovery evasion infostealer persistence rat upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000016d3e-88.dat	warzonerat
behavioral1/files/0x0008000000016d25-171.dat	warzonerat
behavioral1/files/0x0008000000016d46-187.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 29 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

pid	Process
1380	explorer.exe
1780	explorer.exe
1840	explorer.exe
376	spoolsv.exe
744	spoolsv.exe
2208	spoolsv.exe
1692	spoolsv.exe
2952	spoolsv.exe
296	spoolsv.exe
2536	spoolsv.exe
2192	spoolsv.exe
2416	spoolsv.exe
1772	spoolsv.exe
2784	spoolsv.exe
2716	spoolsv.exe
2328	spoolsv.exe
2276	spoolsv.exe
1528	spoolsv.exe
2076	spoolsv.exe
2060	spoolsv.exe
2672	spoolsv.exe
2604	spoolsv.exe
2496	spoolsv.exe
2412	spoolsv.exe
1284	spoolsv.exe
2780	spoolsv.exe
2128	spoolsv.exe
1140	spoolsv.exe
1516	spoolsv.exe
2980	spoolsv.exe
964	spoolsv.exe
2768	spoolsv.exe
2200	spoolsv.exe
2440	spoolsv.exe
2260	spoolsv.exe
776	spoolsv.exe
1696	spoolsv.exe
1972	spoolsv.exe
2228	spoolsv.exe
1768	spoolsv.exe
3056	spoolsv.exe
1504	spoolsv.exe
1376	spoolsv.exe
2664	spoolsv.exe
2376	spoolsv.exe
2652	spoolsv.exe
2804	spoolsv.exe
2408	spoolsv.exe
2484	spoolsv.exe
1704	spoolsv.exe
2020	spoolsv.exe
1264	spoolsv.exe
440	spoolsv.exe
1728	spoolsv.exe
552	spoolsv.exe
1580	spoolsv.exe
1732	spoolsv.exe
2568	spoolsv.exe
1200	spoolsv.exe
2596	explorer.exe
2992	spoolsv.exe
2412	spoolsv.exe
1876	explorer.exe
2524	spoolsv.exe

Loads dropped DLL 64 IoCs

pid	Process
2920	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
2920	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
1840	explorer.exe
1840	explorer.exe
376	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2208	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2952	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2536	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2416	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2784	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2328	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
1528	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2060	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2604	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2412	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2780	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
1140	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2980	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2768	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2440	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
776	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
1972	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
1768	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
1504	spoolsv.exe
1840	explorer.exe
1840	explorer.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2156 set thread context of 2920	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	33
PID 2156 set thread context of 2500	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	34
PID 1380 set thread context of 1780	1380	explorer.exe	38
PID 1780 set thread context of 1840	1780	explorer.exe	39
PID 1780 set thread context of 1712	1780	explorer.exe	40
PID 376 set thread context of 744	376	spoolsv.exe	44
PID 2208 set thread context of 1692	2208	spoolsv.exe	47
PID 2952 set thread context of 296	2952	spoolsv.exe	51
PID 2536 set thread context of 2192	2536	spoolsv.exe	55
PID 2416 set thread context of 1772	2416	spoolsv.exe	59
PID 2784 set thread context of 2716	2784	spoolsv.exe	63
PID 2328 set thread context of 2276	2328	spoolsv.exe	67
PID 1528 set thread context of 2076	1528	spoolsv.exe	70
PID 2060 set thread context of 2672	2060	spoolsv.exe	74
PID 2604 set thread context of 2496	2604	spoolsv.exe	77
PID 2412 set thread context of 1284	2412	spoolsv.exe	81
PID 2780 set thread context of 2128	2780	spoolsv.exe	85
PID 1140 set thread context of 1516	1140	spoolsv.exe	89
PID 2980 set thread context of 964	2980	spoolsv.exe	93
PID 2768 set thread context of 2200	2768	spoolsv.exe	97
PID 2440 set thread context of 2260	2440	spoolsv.exe	101
PID 776 set thread context of 1696	776	spoolsv.exe	105
PID 1972 set thread context of 2228	1972	spoolsv.exe	109
PID 1768 set thread context of 3056	1768	spoolsv.exe	113
PID 1504 set thread context of 1376	1504	spoolsv.exe	117
PID 2664 set thread context of 2376	2664	spoolsv.exe	121
PID 2652 set thread context of 2804	2652	spoolsv.exe	125
PID 2408 set thread context of 2484	2408	spoolsv.exe	129
PID 1704 set thread context of 2020	1704	spoolsv.exe	133
PID 1264 set thread context of 440	1264	spoolsv.exe	137
PID 1728 set thread context of 552	1728	spoolsv.exe	141
PID 1580 set thread context of 1732	1580	spoolsv.exe	145
PID 744 set thread context of 1200	744	spoolsv.exe	150
PID 2568 set thread context of 2992	2568	spoolsv.exe	149
PID 744 set thread context of 2508	744	spoolsv.exe	151
PID 2596 set thread context of 1876	2596	explorer.exe	155
PID 1692 set thread context of 2524	1692	spoolsv.exe	159
PID 1692 set thread context of 1076	1692	spoolsv.exe	161
PID 2412 set thread context of 2472	2412	spoolsv.exe	160
PID 296 set thread context of 1356	296	spoolsv.exe	164
PID 296 set thread context of 2080	296	spoolsv.exe	166
PID 1912 set thread context of 2904	1912	explorer.exe	170
PID 2916 set thread context of 2848	2916	spoolsv.exe	171
PID 2192 set thread context of 1288	2192	spoolsv.exe	172
PID 2192 set thread context of 1776	2192	spoolsv.exe	173
PID 2880 set thread context of 2888	2880	spoolsv.exe	177
PID 2212 set thread context of 2892	2212	spoolsv.exe	181
PID 1772 set thread context of 2724	1772	spoolsv.exe	184
PID 1772 set thread context of 2876	1772	spoolsv.exe	185
PID 2716 set thread context of 2132	2716	spoolsv.exe	188
PID 2716 set thread context of 2996	2716	spoolsv.exe	189
PID 1560 set thread context of 1728	1560	spoolsv.exe	192
PID 1628 set thread context of 3020	1628	explorer.exe	193
PID 2276 set thread context of 340	2276	spoolsv.exe	196
PID 2608 set thread context of 2516	2608	spoolsv.exe	200
PID 2276 set thread context of 1496	2276	spoolsv.exe	197
PID 2012 set thread context of 748	2012	explorer.exe	202
PID 2076 set thread context of 1956	2076	spoolsv.exe	206
PID 2076 set thread context of 1740	2076	spoolsv.exe	207
PID 1476 set thread context of 1720	1476	spoolsv.exe	211
PID 2672 set thread context of 824	2672	spoolsv.exe	215
PID 2120 set thread context of 2972	2120	explorer.exe	212
PID 2672 set thread context of 2732	2672	spoolsv.exe	216

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2872-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2872-42-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/files/0x0008000000016d3e-88.dat	upx
behavioral1/memory/1380-101-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/files/0x0008000000016d25-171.dat	upx
behavioral1/files/0x0008000000016d46-187.dat	upx
behavioral1/memory/376-195-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/376-241-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2208-254-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2952-308-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2536-362-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2416-416-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2416-424-0x0000000001D30000-0x0000000001D76000-memory.dmp	upx
behavioral1/memory/2784-472-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1840-470-0x00000000025B0000-0x00000000025F6000-memory.dmp	upx
behavioral1/memory/1840-492-0x00000000025B0000-0x00000000025F6000-memory.dmp	upx
behavioral1/memory/2328-530-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1840-528-0x00000000025B0000-0x00000000025F6000-memory.dmp	upx
behavioral1/memory/1528-583-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1840-640-0x00000000025B0000-0x00000000025F6000-memory.dmp	upx
behavioral1/memory/2060-639-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2604-697-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2412-747-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Drops file in Windows directory 45 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
2920	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
1380	explorer.exe
376	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2208	spoolsv.exe
1840	explorer.exe
2952	spoolsv.exe
1840	explorer.exe
2536	spoolsv.exe
1840	explorer.exe
2416	spoolsv.exe
1840	explorer.exe
2784	spoolsv.exe
1840	explorer.exe
2328	spoolsv.exe
1840	explorer.exe
1528	spoolsv.exe
1840	explorer.exe
2060	spoolsv.exe
1840	explorer.exe
2604	spoolsv.exe
1840	explorer.exe
2412	spoolsv.exe
1840	explorer.exe
2780	spoolsv.exe
1840	explorer.exe
1140	spoolsv.exe
1840	explorer.exe
2980	spoolsv.exe
1840	explorer.exe
2768	spoolsv.exe
1840	explorer.exe
2440	spoolsv.exe
1840	explorer.exe
776	spoolsv.exe
1840	explorer.exe
1972	spoolsv.exe
1840	explorer.exe
1768	spoolsv.exe
1840	explorer.exe
1504	spoolsv.exe
1840	explorer.exe
2664	spoolsv.exe
1840	explorer.exe
2652	spoolsv.exe
1840	explorer.exe
2408	spoolsv.exe
1840	explorer.exe
1704	spoolsv.exe
1840	explorer.exe
1264	spoolsv.exe
1840	explorer.exe
1728	spoolsv.exe
1840	explorer.exe
1580	spoolsv.exe
1840	explorer.exe
2568	spoolsv.exe
2596	explorer.exe
1840	explorer.exe
2412	spoolsv.exe
1840	explorer.exe
1912	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
2920	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
2920	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
1380	explorer.exe
1380	explorer.exe
1840	explorer.exe
1840	explorer.exe
376	spoolsv.exe
376	spoolsv.exe
1840	explorer.exe
1840	explorer.exe
2208	spoolsv.exe
2208	spoolsv.exe
2952	spoolsv.exe
2952	spoolsv.exe
2536	spoolsv.exe
2536	spoolsv.exe
2416	spoolsv.exe
2416	spoolsv.exe
2784	spoolsv.exe
2784	spoolsv.exe
2328	spoolsv.exe
2328	spoolsv.exe
1528	spoolsv.exe
1528	spoolsv.exe
2060	spoolsv.exe
2060	spoolsv.exe
2604	spoolsv.exe
2604	spoolsv.exe
2412	spoolsv.exe
2412	spoolsv.exe
2780	spoolsv.exe
2780	spoolsv.exe
1140	spoolsv.exe
1140	spoolsv.exe
2980	spoolsv.exe
2980	spoolsv.exe
2768	spoolsv.exe
2768	spoolsv.exe
2440	spoolsv.exe
2440	spoolsv.exe
776	spoolsv.exe
776	spoolsv.exe
1972	spoolsv.exe
1972	spoolsv.exe
1768	spoolsv.exe
1768	spoolsv.exe
1504	spoolsv.exe
1504	spoolsv.exe
2664	spoolsv.exe
2664	spoolsv.exe
2652	spoolsv.exe
2652	spoolsv.exe
2408	spoolsv.exe
2408	spoolsv.exe
1704	spoolsv.exe
1704	spoolsv.exe
1264	spoolsv.exe
1264	spoolsv.exe
1728	spoolsv.exe
1728	spoolsv.exe
1580	spoolsv.exe
1580	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2916	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	28
PID 2872 wrote to memory of 2916	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	28
PID 2872 wrote to memory of 2916	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	28
PID 2872 wrote to memory of 2916	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	28
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2872 wrote to memory of 2156	2872	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	30
PID 2156 wrote to memory of 2920	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	33
PID 2156 wrote to memory of 2920	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	33
PID 2156 wrote to memory of 2920	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	33
PID 2156 wrote to memory of 2920	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	33
PID 2156 wrote to memory of 2920	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	33
PID 2156 wrote to memory of 2920	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	33
PID 2156 wrote to memory of 2920	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	33
PID 2156 wrote to memory of 2920	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	33
PID 2156 wrote to memory of 2920	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	33
PID 2156 wrote to memory of 2500	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	34
PID 2156 wrote to memory of 2500	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	34
PID 2156 wrote to memory of 2500	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	34
PID 2156 wrote to memory of 2500	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	34
PID 2156 wrote to memory of 2500	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	34
PID 2156 wrote to memory of 2500	2156	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	34
PID 2920 wrote to memory of 1380	2920	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	35
PID 2920 wrote to memory of 1380	2920	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	35
PID 2920 wrote to memory of 1380	2920	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	35
PID 2920 wrote to memory of 1380	2920	d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe	35
PID 1380 wrote to memory of 1696	1380	explorer.exe	36
PID 1380 wrote to memory of 1696	1380	explorer.exe	36
PID 1380 wrote to memory of 1696	1380	explorer.exe	36
PID 1380 wrote to memory of 1696	1380	explorer.exe	36
PID 1380 wrote to memory of 1780	1380	explorer.exe	38
PID 1380 wrote to memory of 1780	1380	explorer.exe	38
PID 1380 wrote to memory of 1780	1380	explorer.exe	38
PID 1380 wrote to memory of 1780	1380	explorer.exe	38
PID 1380 wrote to memory of 1780	1380	explorer.exe	38
PID 1380 wrote to memory of 1780	1380	explorer.exe	38
PID 1380 wrote to memory of 1780	1380	explorer.exe	38
PID 1380 wrote to memory of 1780	1380	explorer.exe	38
PID 1380 wrote to memory of 1780	1380	explorer.exe	38
PID 1380 wrote to memory of 1780	1380	explorer.exe	38
PID 1380 wrote to memory of 1780	1380	explorer.exe	38
PID 1380 wrote to memory of 1780	1380	explorer.exe	38
PID 1380 wrote to memory of 1780	1380	explorer.exe	38
PID 1380 wrote to memory of 1780	1380	explorer.exe	38

C:\Users\Admin\AppData\Local\Temp\d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
"C:\Users\Admin\AppData\Local\Temp\d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
  C:\Users\Admin\AppData\Local\Temp\d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
    C:\Users\Admin\AppData\Local\Temp\d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1696
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1780
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1840
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:744
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        Executes dropped EXE
        
        PID:1200
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2508
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1580
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1692
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:264
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1076
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2796
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:296
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2080
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1776
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1776
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1772
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        
        PID:2912
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2876
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2996
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2276
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:340
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        
        PID:836
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:748
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1496
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2056
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:1956
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        11⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        11⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1740
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:2672
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        
        PID:824
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:2732
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2656
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2496
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        10⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        9⤵
        
        PID:1748
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2120
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:964
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2692
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2260
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2068
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2828
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2564
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1584
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2804
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2604
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2532
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2316
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:440
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3024
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:552
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2904
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2992
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1828
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2472
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1788
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2888
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:884
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2892
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1728
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:376
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1720
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1548
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2604
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:1712
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
9ec16d54e92c1c9237d7faf403bb2961

SHA1
b907d57602110f3ed92399e53e18bf7cf2aada8b

SHA256
d396f349cb37954968d1565fe16dee383c7673bae7a147a4d6fa33be628a177a

SHA512
42bb161204885e3b84d356e39b6e72eba61a72a7d6f1c03ca97f03cfbd2c1a3acd1d3f681537e34f1ff49a492510bfd12fd432b90b5a9a72c8e313aa22cbeba3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.9MB

MD5
5133f946bc50bf09c6a5dd64fdec2a35

SHA1
52fa91222e4e6980a87b51bc7dff8dd2eee0dc34

SHA256
c3ce8ab6fbf64014968aa20ebc0666e8a8ee906d59530f73e487dae4f7847063

SHA512
d1d09aa32db3099665c2b5e9fea1348fe11e5b3bfdbe781699bfc88f08970b97a4c77b1d5643604e3354539fea56f7182a08be6ef7a36ba667e5dd05fd228b34

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.9MB

MD5
d86e9e7c885403521983d34a71582f3a

SHA1
af0c73f757bdc42ab8ccb5fc70e4082f636888c4

SHA256
ca6098bad1562709703f6323382b4aa8693fd3f8f909f9e3348e5ff985edab79

SHA512
ebfdf4f633eebf83ba3d3c7340e7ada568977bf0f3284b45544a1bd9b05ef8e3afad4886284df91a68d8a3c2508bee9e085d619d8dfc84b4fc2b23fcbaeaf840

Download Submit
memory/296-354-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/296-1765-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/376-200-0x0000000001D40000-0x0000000001D86000-memory.dmp

Filesize
280KB

Download
memory/376-195-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/376-241-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/744-1620-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/744-253-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1284-794-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1380-101-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1528-583-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1692-302-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1692-1709-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/1772-464-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1772-2010-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1780-186-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1780-152-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1840-640-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-637-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-2316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1840-252-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-1030-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-890-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-791-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-745-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-746-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-695-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-306-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-632-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-307-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-194-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-638-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-310-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-641-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-599-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-528-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-529-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-492-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-470-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-471-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/1840-361-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/2060-639-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2060-660-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2076-633-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2076-2279-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2156-49-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-20-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-38-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-41-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-43-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2156-46-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2156-53-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2156-47-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2156-36-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-13-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-31-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-2-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2156-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2156-50-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2156-3-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-22-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-11-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-48-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-51-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-52-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2156-16-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-24-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2156-86-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2156-40-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2192-412-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2192-1894-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2208-286-0x0000000000300000-0x0000000000346000-memory.dmp

Filesize
280KB

Download
memory/2208-254-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2276-2189-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2328-530-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2412-747-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2416-424-0x0000000001D30000-0x0000000001D76000-memory.dmp

Filesize
280KB

Download
memory/2416-416-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2496-743-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2500-90-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2536-362-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2536-370-0x0000000000450000-0x0000000000496000-memory.dmp

Filesize
280KB

Download
memory/2604-712-0x0000000000340000-0x0000000000386000-memory.dmp

Filesize
280KB

Download
memory/2604-697-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2672-696-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2672-2387-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2716-2034-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2716-523-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2784-472-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2872-42-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2872-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2920-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-100-0x00000000024D0000-0x0000000002516000-memory.dmp

Filesize
280KB

Download
memory/2920-66-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-99-0x00000000024D0000-0x0000000002516000-memory.dmp

Filesize
280KB

Download
memory/2920-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-60-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2920-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-314-0x0000000001D50000-0x0000000001D96000-memory.dmp

Filesize
280KB

Download
memory/2952-308-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download