warzonerat | b3b07854e225d39b56bb1744747818e5b598f0e5cc8a0ca034451e8ca8f72d82

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
Size

2.9MB
MD5

055751552710305ce02fc2faedfa52e2
SHA1

f7b88c8a829bd035777365a8840955d3fcb232cd
SHA256

b3b07854e225d39b56bb1744747818e5b598f0e5cc8a0ca034451e8ca8f72d82
SHA512

8fa7aa713656cda54c4df3a28948806d3b35fbbb9c8204a7d4c8bd62da3441a5b19a78527d37bde0431807e3aefb5947a5d7ce032bd908e70e64d36e4afad704
SSDEEP

24576:ATU7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHA:ATU7AAmw4gxeOw46fUbNecCCFbNec3

Score

10^/10

warzonerat evasion infostealer persistence rat upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 34 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
232	explorer.exe
2464	explorer.exe
4384	explorer.exe
3764	spoolsv.exe
1076	spoolsv.exe
2552	spoolsv.exe
2424	spoolsv.exe
872	spoolsv.exe
1280	spoolsv.exe
5108	spoolsv.exe
1692	spoolsv.exe
1548	spoolsv.exe
1428	spoolsv.exe
1844	spoolsv.exe
2724	spoolsv.exe
4528	spoolsv.exe
3160	spoolsv.exe
1904	spoolsv.exe
1092	spoolsv.exe
2452	spoolsv.exe
3272	spoolsv.exe
4048	spoolsv.exe
1764	spoolsv.exe
2028	spoolsv.exe
4500	spoolsv.exe
4292	spoolsv.exe
2352	spoolsv.exe
2204	spoolsv.exe
3412	spoolsv.exe
4656	spoolsv.exe
2568	spoolsv.exe
4740	spoolsv.exe
3392	spoolsv.exe
2876	spoolsv.exe
2216	spoolsv.exe
3736	spoolsv.exe
684	spoolsv.exe
3604	spoolsv.exe
3232	spoolsv.exe
2664	spoolsv.exe
1904	spoolsv.exe
4544	spoolsv.exe
1408	spoolsv.exe
860	spoolsv.exe
1956	spoolsv.exe
5036	spoolsv.exe
2060	spoolsv.exe
3472	spoolsv.exe
1756	spoolsv.exe
3480	spoolsv.exe
2968	spoolsv.exe
4976	spoolsv.exe
2372	spoolsv.exe
4460	spoolsv.exe
4764	spoolsv.exe
4040	spoolsv.exe
3152	spoolsv.exe
4696	spoolsv.exe
3756	spoolsv.exe
2328	spoolsv.exe
1788	spoolsv.exe
3532	spoolsv.exe
3468	spoolsv.exe
2304	spoolsv.exe

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2180-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2180-10-0x0000000000400000-0x0000000000446000-memory.dmp	upx
C:\Windows\System\explorer.exe	upx
behavioral2/memory/232-39-0x0000000000400000-0x0000000000446000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	upx
C:\Windows\System\spoolsv.exe	upx
behavioral2/memory/3764-78-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2552-104-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/872-106-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/5108-119-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1548-132-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1844-146-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4528-169-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1904-184-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2452-196-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4048-212-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2028-214-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2028-226-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4292-228-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2204-242-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4656-268-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4740-271-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2876-297-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3736-300-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3604-315-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2664-340-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4544-351-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/860-352-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/5036-364-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3472-377-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3480-389-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4976-402-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4460-425-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4040-427-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4696-439-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2328-451-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3532-463-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2332-505-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2160-506-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4664-509-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4664-588-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4920-594-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2832-624-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2880-693-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4008-689-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

055751552710305ce02fc2faedfa52e2_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe

Suspicious use of SetThreadContext 53 IoCs

Processes:

055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe055751552710305ce02fc2faedfa52e2_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 2180 set thread context of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2712 set thread context of 3824	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2712 set thread context of 3216	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	diskperf.exe
PID 232 set thread context of 2464	232	explorer.exe	explorer.exe
PID 2464 set thread context of 4384	2464	explorer.exe	explorer.exe
PID 2464 set thread context of 5096	2464	explorer.exe	diskperf.exe
PID 3764 set thread context of 1076	3764	spoolsv.exe	spoolsv.exe
PID 2552 set thread context of 2424	2552	spoolsv.exe	spoolsv.exe
PID 872 set thread context of 1280	872	spoolsv.exe	spoolsv.exe
PID 5108 set thread context of 1692	5108	spoolsv.exe	spoolsv.exe
PID 1548 set thread context of 1428	1548	spoolsv.exe	spoolsv.exe
PID 1844 set thread context of 2724	1844	spoolsv.exe	spoolsv.exe
PID 4528 set thread context of 3160	4528	spoolsv.exe	spoolsv.exe
PID 1904 set thread context of 1092	1904	spoolsv.exe	spoolsv.exe
PID 2452 set thread context of 3272	2452	spoolsv.exe	spoolsv.exe
PID 4048 set thread context of 1764	4048	spoolsv.exe	spoolsv.exe
PID 2028 set thread context of 4500	2028	spoolsv.exe	spoolsv.exe
PID 4292 set thread context of 2352	4292	spoolsv.exe	spoolsv.exe
PID 2204 set thread context of 3412	2204	spoolsv.exe	spoolsv.exe
PID 4656 set thread context of 2568	4656	spoolsv.exe	spoolsv.exe
PID 4740 set thread context of 3392	4740	spoolsv.exe	spoolsv.exe
PID 2876 set thread context of 2216	2876	spoolsv.exe	spoolsv.exe
PID 3736 set thread context of 684	3736	spoolsv.exe	spoolsv.exe
PID 3604 set thread context of 3232	3604	spoolsv.exe	spoolsv.exe
PID 2664 set thread context of 1904	2664	spoolsv.exe	spoolsv.exe
PID 4544 set thread context of 1408	4544	spoolsv.exe	spoolsv.exe
PID 860 set thread context of 1956	860	spoolsv.exe	spoolsv.exe
PID 5036 set thread context of 2060	5036	spoolsv.exe	spoolsv.exe
PID 3472 set thread context of 1756	3472	spoolsv.exe	spoolsv.exe
PID 3480 set thread context of 2968	3480	spoolsv.exe	spoolsv.exe
PID 4976 set thread context of 2372	4976	spoolsv.exe	spoolsv.exe
PID 4460 set thread context of 4764	4460	spoolsv.exe	spoolsv.exe
PID 4040 set thread context of 3152	4040	spoolsv.exe	spoolsv.exe
PID 4696 set thread context of 3756	4696	spoolsv.exe	spoolsv.exe
PID 2328 set thread context of 1788	2328	spoolsv.exe	spoolsv.exe
PID 1428 set thread context of 1524	1428	spoolsv.exe	spoolsv.exe
PID 1076 set thread context of 740	1076	spoolsv.exe	spoolsv.exe
PID 1428 set thread context of 1000	1428	spoolsv.exe	diskperf.exe
PID 1076 set thread context of 4540	1076	spoolsv.exe	diskperf.exe
PID 1692 set thread context of 324	1692	spoolsv.exe	spoolsv.exe
PID 1692 set thread context of 4584	1692	spoolsv.exe	diskperf.exe
PID 2424 set thread context of 544	2424	spoolsv.exe	spoolsv.exe
PID 2724 set thread context of 2824	2724	spoolsv.exe	spoolsv.exe
PID 2724 set thread context of 3636	2724	spoolsv.exe	diskperf.exe
PID 2832 set thread context of 1888	2832	explorer.exe	explorer.exe
PID 3160 set thread context of 3604	3160	spoolsv.exe	spoolsv.exe
PID 3160 set thread context of 2320	3160	spoolsv.exe	diskperf.exe
PID 1092 set thread context of 3520	1092	spoolsv.exe	spoolsv.exe
PID 1092 set thread context of 4664	1092	spoolsv.exe	diskperf.exe
PID 4008 set thread context of 3864	4008	spoolsv.exe	spoolsv.exe
PID 2880 set thread context of 704	2880	explorer.exe	explorer.exe
PID 3272 set thread context of 3060	3272	spoolsv.exe	spoolsv.exe
PID 3272 set thread context of 1680	3272	spoolsv.exe	diskperf.exe

Drops file in Windows directory 38 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe055751552710305ce02fc2faedfa52e2_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4720 3532 WerFault.exe spoolsv.exe
4536 4920 WerFault.exe spoolsv.exe

pid	pid_target	process	target process
4720	3532	WerFault.exe	spoolsv.exe
4536	4920	WerFault.exe	spoolsv.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe055751552710305ce02fc2faedfa52e2_JaffaCakes118.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
3824	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
3824	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
232	explorer.exe
232	explorer.exe
3764	spoolsv.exe
3764	spoolsv.exe
4384	explorer.exe
4384	explorer.exe
4384	explorer.exe
4384	explorer.exe
2552	spoolsv.exe
2552	spoolsv.exe
4384	explorer.exe
4384	explorer.exe
872	spoolsv.exe
872	spoolsv.exe
4384	explorer.exe
4384	explorer.exe
5108	spoolsv.exe
5108	spoolsv.exe
4384	explorer.exe
4384	explorer.exe
1548	spoolsv.exe
1548	spoolsv.exe
4384	explorer.exe
4384	explorer.exe
1844	spoolsv.exe
1844	spoolsv.exe
4384	explorer.exe
4384	explorer.exe
4528	spoolsv.exe
4528	spoolsv.exe
4384	explorer.exe
4384	explorer.exe
1904	spoolsv.exe
1904	spoolsv.exe
4384	explorer.exe
4384	explorer.exe
2452	spoolsv.exe
2452	spoolsv.exe
4384	explorer.exe
4384	explorer.exe
4048	spoolsv.exe
4048	spoolsv.exe
4384	explorer.exe
4384	explorer.exe
2028	spoolsv.exe
2028	spoolsv.exe
4384	explorer.exe
4384	explorer.exe
4292	spoolsv.exe
4292	spoolsv.exe
4384	explorer.exe
4384	explorer.exe
2204	spoolsv.exe
2204	spoolsv.exe
4384	explorer.exe
4384	explorer.exe
4656	spoolsv.exe
4656	spoolsv.exe
4384	explorer.exe
4384	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

dwm.exe

description	pid	process
Token: SeCreateGlobalPrivilege	2912	dwm.exe
Token: SeChangeNotifyPrivilege	2912	dwm.exe
Token: 33	2912	dwm.exe
Token: SeIncBasePriorityPrivilege	2912	dwm.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
3824	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
3824	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
232	explorer.exe
232	explorer.exe
4384	explorer.exe
4384	explorer.exe
3764	spoolsv.exe
3764	spoolsv.exe
4384	explorer.exe
4384	explorer.exe
2552	spoolsv.exe
2552	spoolsv.exe
872	spoolsv.exe
872	spoolsv.exe
5108	spoolsv.exe
5108	spoolsv.exe
1548	spoolsv.exe
1548	spoolsv.exe
1844	spoolsv.exe
1844	spoolsv.exe
4528	spoolsv.exe
4528	spoolsv.exe
1904	spoolsv.exe
1904	spoolsv.exe
2452	spoolsv.exe
2452	spoolsv.exe
4048	spoolsv.exe
4048	spoolsv.exe
2028	spoolsv.exe
2028	spoolsv.exe
4292	spoolsv.exe
4292	spoolsv.exe
2204	spoolsv.exe
2204	spoolsv.exe
4656	spoolsv.exe
4656	spoolsv.exe
4740	spoolsv.exe
4740	spoolsv.exe
2876	spoolsv.exe
2876	spoolsv.exe
3736	spoolsv.exe
3736	spoolsv.exe
3604	spoolsv.exe
3604	spoolsv.exe
2664	spoolsv.exe
2664	spoolsv.exe
4544	spoolsv.exe
4544	spoolsv.exe
860	spoolsv.exe
860	spoolsv.exe
5036	spoolsv.exe
5036	spoolsv.exe
3472	spoolsv.exe
3472	spoolsv.exe
3480	spoolsv.exe
3480	spoolsv.exe
4976	spoolsv.exe
4976	spoolsv.exe
4460	spoolsv.exe
4460	spoolsv.exe
4040	spoolsv.exe
4040	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe055751552710305ce02fc2faedfa52e2_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 2180 wrote to memory of 2912	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 2912	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 2912	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2180 wrote to memory of 2712	2180	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2712 wrote to memory of 3824	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2712 wrote to memory of 3824	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2712 wrote to memory of 3824	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2712 wrote to memory of 3824	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2712 wrote to memory of 3824	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2712 wrote to memory of 3824	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2712 wrote to memory of 3824	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2712 wrote to memory of 3824	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
PID 2712 wrote to memory of 3216	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	diskperf.exe
PID 2712 wrote to memory of 3216	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	diskperf.exe
PID 2712 wrote to memory of 3216	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	diskperf.exe
PID 2712 wrote to memory of 3216	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	diskperf.exe
PID 2712 wrote to memory of 3216	2712	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	diskperf.exe
PID 3824 wrote to memory of 232	3824	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	explorer.exe
PID 3824 wrote to memory of 232	3824	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	explorer.exe
PID 3824 wrote to memory of 232	3824	055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe	explorer.exe
PID 232 wrote to memory of 3232	232	explorer.exe	cmd.exe
PID 232 wrote to memory of 3232	232	explorer.exe	cmd.exe
PID 232 wrote to memory of 3232	232	explorer.exe	cmd.exe
PID 232 wrote to memory of 2464	232	explorer.exe	explorer.exe
PID 232 wrote to memory of 2464	232	explorer.exe	explorer.exe
PID 232 wrote to memory of 2464	232	explorer.exe	explorer.exe
PID 232 wrote to memory of 2464	232	explorer.exe	explorer.exe
PID 232 wrote to memory of 2464	232	explorer.exe	explorer.exe
PID 232 wrote to memory of 2464	232	explorer.exe	explorer.exe
PID 232 wrote to memory of 2464	232	explorer.exe	explorer.exe
PID 232 wrote to memory of 2464	232	explorer.exe	explorer.exe
PID 232 wrote to memory of 2464	232	explorer.exe	explorer.exe
PID 232 wrote to memory of 2464	232	explorer.exe	explorer.exe
PID 232 wrote to memory of 2464	232	explorer.exe	explorer.exe
PID 232 wrote to memory of 2464	232	explorer.exe	explorer.exe
PID 232 wrote to memory of 2464	232	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:2912

C:\Users\Admin\AppData\Local\Temp\055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\055751552710305ce02fc2faedfa52e2_JaffaCakes118.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3824

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:3232

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2464

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4384

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:740

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:4540

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2424

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:544

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1692

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:324

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:4584

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1524

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:4964

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1888

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1000

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2824

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3604

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
- Drops startup file
PID:404

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:704

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3520

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:4664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3060

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:1920

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2444

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2400

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2352

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3412

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:872

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:5108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2216

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4248

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2364

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1904

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:888

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:376

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:392

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3756

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 392
8⤵
- Program crash
PID:4720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
PID:3468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
PID:2304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:396

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4420

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1096

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:460

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2332

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2160

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:5032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:4664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4508

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1268

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3648

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:324

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2552

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5068

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:220

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2812

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2148

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:660

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1176

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:768

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3816

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1712

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1444

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1548

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2780

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:5076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1164

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4968

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3076

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3952

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4008

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3408

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4524

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4724

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4996

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4632

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3556

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4928

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2688

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 188
8⤵
- Program crash
PID:4536

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3864

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Drops file in Windows directory
PID:2328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3792

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1628

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:5096

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1280 -ip 1280
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4920 -ip 4920
1⤵
PID:2584

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
Filesize
2.9MB

MD5
055751552710305ce02fc2faedfa52e2

SHA1
f7b88c8a829bd035777365a8840955d3fcb232cd

SHA256
b3b07854e225d39b56bb1744747818e5b598f0e5cc8a0ca034451e8ca8f72d82

SHA512
8fa7aa713656cda54c4df3a28948806d3b35fbbb9c8204a7d4c8bd62da3441a5b19a78527d37bde0431807e3aefb5947a5d7ce032bd908e70e64d36e4afad704

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe
Filesize
2.9MB

MD5
44639d272c1d75b4f7c76331f1104b00

SHA1
44dc48dea9237ab92486755e2a69fb00e0d5ed0c

SHA256
4292c367562925992d6e088c5aa1cc76d661458b39be8d06a71ef87f05e6b9fb

SHA512
f2175e7791be7c37b4c30f34239701443941f3a593872bb3fb482d451a6043a2a0ef5b3e7e9edfb8af2eeac577b7a828a1deb321cc4d6ff3ef7bf04c57b86314

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.9MB

MD5
8a8e53ba8f40ae557ec71de3b665c84e

SHA1
90ff99835dd9037723ed5ab694a6bd2548894663

SHA256
7c94a639a7e131ba9c6c80c4d17ccd7dd2a552414f2fd9e2ecf0835f2e317ee4

SHA512
cd9e8a809145a28689baabe462a4cfa4c1a266d9d3fad3697384e88adb9890268fc94098321011a30a5e967ad46d4b1e49ed28bdfa77061d881f7c5a3c75e716

Download Submit
memory/232-39-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/324-639-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/544-647-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/684-311-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/740-614-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/860-352-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/872-106-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1076-88-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1076-623-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1076-85-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1076-87-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1076-89-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1076-86-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1076-84-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1092-183-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1280-114-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1280-115-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1280-117-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1280-113-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1280-112-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1280-116-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1408-350-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1428-143-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1428-621-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1524-679-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1524-610-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1548-132-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1692-130-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1692-635-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1692-593-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1756-388-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1764-211-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1788-461-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1844-146-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1888-674-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1904-184-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1904-339-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1956-363-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2028-214-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2028-226-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2060-376-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2160-506-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2180-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2180-10-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2204-242-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2216-296-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2328-451-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2332-505-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2352-240-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2372-412-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2424-103-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2424-651-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2452-196-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2464-69-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2464-49-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2464-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2464-50-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2464-47-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2464-48-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2464-45-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2464-53-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2464-66-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2552-104-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2568-267-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2664-340-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2712-8-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2712-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2712-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2712-29-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2712-7-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2712-11-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/2712-4-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2712-9-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2712-12-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2712-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2712-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2712-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2712-6-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2724-646-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2724-157-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2724-673-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2824-665-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2832-624-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2876-297-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2880-693-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2968-401-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3152-437-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3160-692-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3160-171-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3216-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3216-23-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3216-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3232-326-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3272-198-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3392-283-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3412-253-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3472-377-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3480-389-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3532-463-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3604-315-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3604-690-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3736-300-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3756-449-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3764-78-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3824-22-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3824-17-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3824-51-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4008-689-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4040-427-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4048-212-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4292-228-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4384-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4384-503-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-425-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4500-225-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4528-169-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4544-351-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4656-268-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4664-588-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4664-509-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4696-439-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4740-271-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4764-424-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4920-594-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4976-402-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5036-364-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5108-119-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download